⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More

Summary

Last week saw a variety of cyber threats including the Miasma worm impacting Microsoft's GitHub repositories, Google patching an actively exploited Android zero-day (CVE-2025-48595), and the U.S. disrupting investment fraud schemes. Additionally, the China-linked TA4922 group has expanded its operations into Europe and Africa, focusing on data theft and resale of access.

Full text

⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More Ravie LakshmananJun 08, 2026Cybersecurity / Hacking Monday again. The weekend was meant to be quiet. It wasn't. Last week had poisoned packages, a broken AI helper, and a worm tearing through repos. The ugly part: basic tricks still worked. A chatbot got fooled. A bot token got leaked inside the malware. The same old mistakes showed up again. And while everyone chased the loud stuff, quieter attackers sat in inboxes for months, reading mail and stealing it bit by bit. Lots to cover. Grab coffee. Read up. ⚡ Threat of the Week Miasma Worm Hits 73 Microsoft GitHub Repositories in Supply Chain Attack - Microsoft's GitHub repositories became the latest to fall victim to the ongoing Miasma self-replicating supply chain attack campaign. The incident impacted 73 Microsoft repositories across four of its GitHub organizations, including Azure, Azure-Samples, Microsoft, and MicrosoftDocs. The development prompted GitHub to disable access to those repositories. Miasma is assessed to be a variant of the Mini Shai-Hulud worm that TeamPCP publicly released in mid-May 2026. Your VPN is Helping Attackers Move as Fast as AI The Zscaler ThreatLabz 2026 VPN Risk Report reveals a dangerous disconnect: while attackers use AI to move at machine speed, legacy VPNs are leaving defenders blind and exposed. When you can’t see what’s happening, response time collapses and the odds of containment drop with it. Get the Report ➝ 🔔 Top News Google Fixes Android Framework Flaw Under Exploitation - Google released patches for 124 security vulnerabilities impacting its Android operating system for the month of June 2026, including one high-severity flaw in the Framework component that has come under active exploitation. Tracked as CVE-2025-48595 (CVSS score: 8.4), the security flaw has been described as a case of privilege escalation without requiring any user interaction. The vulnerability impacts devices running Android versions 14, 15, 16, and 16 QPR2 (Quarterly Platform Release 2). Google has acknowledged there are indications that CVE-2025-48595 may be under "limited, targeted exploitation." As is typically the case, the tech giant did not reveal any specifics about who may have been behind the activity, the targets affected, and the scale of such efforts. U.S. Action Disrupts Investment Fraud Schemes - The U.S. Department of Justice announced the results of a sweeping action undertaken by government authorities and private sector companies to combat cyber-enabled and cryptocurrency fraud targeting Americans. The "Disruption Week" operation led to the takedown of millions of social media, email, and internet access accounts used by transnational cybercrime groups in Southeast Asia to defraud victims. Private sector entities voluntarily froze over $3.8 million in cryptocurrency involved in the laundering of funds stolen from Americans. The efforts are part of an ongoing U.S. government initiative called Scam Center Strike Force, which aims to dismantle transnational criminal organizations running cyber-enabled fraud and "pig butchering" (aka romance baiting) scams from compounds in Southeast Asia, along with the human trafficking and money laundering operations that fuel the illicit enterprise. China-Linked TA4922 Broadens Focus to Europe, Africa - A new Chinese-speaking cybercrime group has expanded its reach from East Asia into Europe and Africa, while rapidly overhauling the malware it employs to hack into corporate networks. The actor, tracked as TA4922, is financially motivated and focused on gaining remote access to victim systems for data theft, fraud, and the resale of access. Some elements of the threat actor's tactics overlap with Silver Fox and Void Arachne. Its operations are unusually varied, leveraging malware delivery, credential phishing, and credit card theft across different campaigns. While historical attacks targeted Japan, the actor has also targeted organizations in Taiwan, Korea, Singapore, and India, the U.K., Germany, Italy, and South Africa. The lures are localized, impersonating tax authorities, finance departments and human resources teams in the target's own language to distribute Atlas RAT, RomulusLoader, and SilentRunLoader through DLL side-loading techniques. OP-512 Targets Microsoft IIS Servers with Custom Web Shell Framework - A previously unreported threat cluster dubbed OP-512 has been observed targeting Microsoft Internet Information Services (IIS) servers to deploy a bespoke web shell framework. The espionage-focused activity has been assessed as originating from China. "OP-512 was highly likely conducting espionage through a compromised Internet Information Services (IIS) web server on an organization whose sector and geography align with China-linked intelligence priorities," ReliaQuest said. The web shell framework facilitates file management and authenticated command execution. Hackers Spied on a Stock Exchange Executive's Outlook Mailbox for 5 Months - Unknown threat actors managed to spy on a senior member of an unnamed global stock exchange for at least five months. There are still several unanswered questions, like who was behind it and how they obtained initial access. However, what's evident is that the attacker spent several months inside the Outlook mailbox and likely accessed sensitive information. The goal of the operation was most likely cyber espionage, but details are scant on which stock exchange was targeted. The earliest sign of malicious activity was observed on October 10, 2025. The attack led to the deployment of a mailbox stealer that ran in 2-4 week intervals to hoover up email data. The captured information was exfiltrated via Dropbox and Microsoft OneDrive Personal, transferring only small batches at a time to avoid raising any red flags. The data exfiltration runs lasted through March 2026. ‎️🔥 Trending CVEs Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild. Check the list, patch what you have, and hit the ones marked urgent first - CVE-2026-28318 (SolarWinds Serv-U), from CVE-2026-39210 through CVE-2026-39217 (FFmpeg), CVE-2026-20245 (Cisco Catalyst SD-WAN Manager), CVE-2026-20230 (Cisco Unified Communications Manager), CVE-2026-3300 (Everest Forms Pro plugin), CVE-2025-48595 (Google Android) CVE-2026-8501 (PCTCore64.sys), CVE-2026-10629 (Verizon IMS network), CVE-2026-7299 (Appsmith), CVE-2026-10621, CVE-2026-10622 (Collibra Agent), CVE-2026-0826 (HP Poly Voice), CVE-2026-8206 (Themeum Kirki - Freeform Page Builder, Website Builder & Customizer plugin), CVE-2026-23479, CVE-2026-23631 aka DarkReplica, CVE-2026-25243, CVE-2026-25588, CVE-2026-25589 (Redis), CVE-2026-49200, CVE-2026-49201 (Acer Wave 7 routers), CVE-2026-8874, CVE-2026-8876, CVE-2026-8878, CVE-2026-8879, CVE-2026-8881, CVE-2026-8888, CVE-2026-8889 (Securly), CVE-2026-10881, CVE-2026-10882, CVE-2026-10883 (Google Chrome), CVE-2026-41722, CVE-2026-41723, CVE-2026-41724 (Broadcom VMware Cloud Foundation Operations), CVE-2026-34908, CVE-2026-34909 (UniFi OS Server), CVE-2026-4372 (Hugging Face), CVE-2026-45495 (Microsoft Edge), CVE-2026-42253 (Apache ActiveMQ), CVE-2026-9614 (Ivanti ISTM), CVE-2026-48019 (laravel/framework), CVE-2026-5386 (KMW CCTV security cameras), CVE-2026-5509 (TP-Link Archer BE450 v1 and Archer BE7200 v1), CVE-2026-4387 (StrongDM), CVE-2026-8633 (IBM WebSphere), and CVE-2026-9739 (MCP Toolbox). 🎥 Cybersecurity Webinars Learn How to Validate What Your SIEM, EDR, and SOC Catch → Automated pentesting finds flaws. It doesn't prove your defenses caught them. Join Picus experts to learn where testing falls short, why "clean" reports can mislead, and how validation shows what your SIEM, EDR, and SOC actually detect. Stop AI-Powered Attacks Before They Spread → AI is making cyberattacks faster, harder to spot, and easier

Indicators of Compromise

• cve — CVE-2025-48595
• malware — Miasma Worm

Entities