[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f7Dxnnecji3GOhQCweWIn2KoDccFk_sqEM6lD0nAuWxc":3},{"article":4,"iocs":51},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":25,"category":26,"article_tags":30},"735c345c-e4b7-42fc-9d9a-9e4559c63e31","ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories","threatsday-cloud-bucket-hijacking-windows-lpe-chain-global-fraud-bust-17-more-st-0ade65","Most security mess starts as admin work. A link gets clicked. A tool gets trusted. A bucket name gets reused. A setting stays loose because nobody wants to touch it. This week is full of that kind of damage. Not loud. Not clever. Just small gaps doing big jobs. The worst part is how normal it all looks until the bill arrives. The full ThreatsDay list is below. Global","This week's security news highlights common administrative oversights leading to significant breaches. A global operation, 'First Light 2026,' resulted in thousands of arrests and seized assets targeting social engineering scams. Additionally, malicious npm and PyPI packages were found typosquatting popular payment SDKs to steal developer secrets, and a critical directory traversal flaw in Esri ArcGIS Server allows unauthenticated file access.","Global fraud bust, cloud bucket hijacking, Windows LPE chain, and malicious npm\u002FPyPI packages detailed.","ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories Ravie LakshmananJul 09, 2026Hacking News \u002F Cybersecurity News Most security mess starts as admin work. A link gets clicked. A tool gets trusted. A bucket name gets reused. A setting stays loose because nobody wants to touch it. This week is full of that kind of damage. Not loud. Not clever. Just small gaps doing big jobs. The worst part is how normal it all looks until the bill arrives. The full ThreatsDay list is below. Global fraud bust Global Operation Leads to ~6K Arrests A global anti-fraud operation involving 97 countries and territories has resulted in the arrest of 5,811 individuals and the interception of $293 million in illicit assets as part of an operation codenamed First Light 2026 that took place between January 15 and April 30, 2026, to tackle social engineering scams and associated money laundering activities. \"Over 142,000 victims globally were identified during Operation First Light 2026, highlighting the extent to which social engineering scams and fraud have escalated into a major transnational threat, affecting individuals, businesses, and governments,\" INTERPOL said. More than 23,000 cases were solved, and 15,606 suspects have been identified. In Eswatini, authorities arrested 82 people and dismantled a criminal network running illegal online gambling, money laundering, and elaborate impersonation scams. The Thai police made two arrests and uncovered a money laundering scheme that converted illicit funds from romance scams into various cryptocurrencies, using cross-chain token swaps to obscure the financial trail. Payment SDK typosquats Coordinated npm and PyPI Campaign Typosquats Secure Payment Apps A cluster of 17 malicious npm and PyPI packages have been found to typosquat Paysafe, Skrill, and Neteller SDKs to steal system information and developer secrets, and exfiltrate them to an Ngrok endpoint. The malware skips machines that have less than two CPU cores, and the hostname or username contains sandbox, analyzer, cuckoo, virus, malware, vmware, or vbox. \"The threat actor targeted payment app SDKs, which might indicate a financial motive or the desire to monetize using payment app accounts,\" Socket said. \"The threat actor used their obfuscator 'properly.' They did not re-use the same obfuscation key across versions or packages, which is intended to prevent signatures from tracking this malware by the same key. This resulted in different hashes for each file.\" Stealthy code injection Process Parameter Poisoning to Avoid Detection Cybersecurity researchers have outlined a technique called Process Parameter Poisoning (P³) that can be used to code in foreign processes without raising any security alarms. \"P³-Shellcode Loader is a loader that implements a code injection technique which leverages the Process Parameters structure (Process Parameter Poisoning) as an execution and staging location for shellcode injection into remote processes, without triggering common detection mechanisms,\" researchers Max Hirschberger and Ogulcan Ugur said. \"One major advantage of this technique is that no processes are created in a suspended state and no threads or processes are suspended during its execution.\" Unauthenticated file access Critical Directory Traversal Flaw in Esri ArcGIS Server A critical security flaw in Esri ArcGIS Server 12.0 and prior (CVE-2026-9181, CVSS score: 9.8\u002F7.5) could be exploited to access sensitive files on the system without requiring valid credentials by sending crafted path parameters. \"The vulnerability exists in the ArcGIS Server REST Uploads resource, where insufficient validation of crafted path parameters allows an unauthenticated remote attacker to traverse outside the intended directory boundary,\" Horizon3.ai said. Ransomware tooling overlap Interlock and Rhysida Ransomware Ecosystem Detailed A new analysis of the Interlock (aka Hive0163) ransomware operation has identified links with TAG-124 (aka KongTuke and Landupdate808). The threat actor is known to employ a variety of mostly custom malware, including NodeSnake, Interlock RAT, JunkFiction downloader (aka Dormouse), Supper (aka SocksShell and WINDYTWIST), and JunkFiction cryptor. IBM X-Force said it has discovered strong overlaps between NodeSnake, ModeloRAT, JunkFiction downloader, Interlock RAT, and Supper malware variants, indicating a shared original codebase or possibly common developers. Rhysida, on the other hand, often uses Endico downloader, Broomstick (aka Oyster or CleanUpLoader), Supper, and Tomb cryptor (aka Textshell or pkr_mtsi). Evidence indicates a relationship with IceNova (aka Latrodectus) operators and ITG23 (aka TrickBot). Early versions of JunkFiction date back to May 2024, with the downloader being used to Supper, which then delivers CrossTec Remote Control, a legitimate remote administration tool. \"The fact that both ModeloRAT and NodeSnake were deployed by TAG-124\u002FKongTuke, possessed overlaps with other malware families belonging to the Interlock toolkit and used the same exploit during their operations, supports the theory that these activities may be linked,\" IBM X-Force said. Claude data warning China Urges Developers to Ditch Claude China's National Vulnerability Database (CNVDB) is urging developers to uninstall recent Claude Code versions over concerns that they can gather sensitive user data without consent. The \"backdoor code\" can collect details such as a user's location and identity, and forward them to remote servers. The agency said the alert only applies to Claude Code versions 2.1.91 (April 2) to 2.1.196 (June 29). \"It is recommended that relevant units and users immediately conduct a comprehensive investigation,\" CNVDB said. \"For development terminals with the above-mentioned affected versions installed, immediately uninstall or upgrade to the latest secure version with the relevant backdoor code removed; strengthen the control of external access permissions and traffic monitoring of development tools within core business network segments to prevent the unauthorized transmission of sensitive data.\" The disclosure comes shortly after a report that Claude contained covert code designed to prevent Chinese AI companies from extracting details about its inner workings. Anthropic subsequently said it was an experiment to protect against model distillation. Teams support lure Fake IT Support Scheme Delivers EtherRAT A social engineering campaign has combined email phishing with a fake IT support scam abusing Microsoft Teams calls to deliver EtherRAT. \"The attack lures the victim with a fake 'Employee Survey' email and PDF, then pivots to a Microsoft Teams call from an actor impersonating a 'System Administrator,'\" Palo Alto Networks Unit 42 said. \"The actor abuses Teams remote control (give\u002Frequest control) to control the victim's machine, then guides the victim to install different remote RMM tools to establish persistence - HopToDesk and AnyDesk. The actor uses cmd.exe > curl.exe to download a malicious MSI (v7.msi) from camorreado[.]click and execute it. The MSI is a multi-stage loader that downloads a legitimate Node.js runtime, decrypts an embedded payload through a multi-step cipher chain, and runs EtherRAT.\" Scattered Spider link Are Scattered Spider and 0ktapus the Same? The notorious cybercrime group known as Scattered Spider is called by various names, including Octo Tempest, Muddled Libra, and UNC3944. Group-IB, which designated the term 0ktapus to a social engineering attack campaign targeting Twilio in August 2022, said Scattered Spider can be best described as a decentralized cybercrime collective analogous to The Com, with 0ktapus acting as a sub-cluster within the group. Scattered Spider comprises smaller clusters that are united by the use of shared tradecraft and English as a common language, but act separately. \"Physical device theft activity from mobile carrier stores has been observed in at least one subclu","https:\u002F\u002Fthehackernews.com\u002F2026\u002F07\u002Fthreatsday-cloud-bucket-hijacking.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEgAXvG0n7eiC50jtfO-3MYOPx-Z0iWiucBfHqzY2QNH-5fUyfWcGu3NME0yERr2qWKcAeg6rIYMtP_VEeRInpeghztHmnjDa4QyuXSbaktcOdHHK9sx8lurd2RmejcmBjSZIznBl0zKQ-mk4dcCsVdL29g4XPEwUdrlQgj5-GgxvVnolSJJfCJW7g4vosLe\u002Fs1600\u002FThreatsDay-main.jpg","2026-07-09T15:09:28+00:00","2026-07-09T18:00:06.122412+00:00",8,[18,21,23],{"name":19,"type":20},"npm","product",{"name":22,"type":20},"PyPI",{"name":24,"type":20},"Esri ArcGIS Server","e7b231c8-5f79-4465-8d38-1ef13aea5a14",{"id":25,"icon":27,"name":28,"slug":29},null,"Threat Intelligence","threat-intelligence",[31,36,41,46],{"category":32},{"id":33,"icon":27,"name":34,"slug":35},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":37},{"id":38,"icon":27,"name":39,"slug":40},"2e06f76c-d5b9-4f54-9eef-4d3447b10730","Breaches","breaches",{"category":42},{"id":43,"icon":27,"name":44,"slug":45},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":47},{"id":48,"icon":27,"name":49,"slug":50},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",[52],{"type":53,"value":54,"context":55},"cve","CVE-2026-9181","Critical directory traversal flaw in Esri ArcGIS Server."]