Weekly Cybersecurity Roundup: Tracking Cybercrime Across Corporate Systems, Trusted Insiders, and Vulnerable Victims

Published
Written by:
Vishwa Pandagle
Vishwa Pandagle
Cybersecurity Staff Editor

Cybercrime is no longer complex for attackers. It has become a simple maneuver for those who are well-versed in the systems and blending in with insiders. Breaches are less about discovering new exploits and more about abusing what organizations trust, both trusted access and people. 

Law enforcement and practitioners are responding with broader international cooperation, prosecuting the insiders who appear to work in defense but are brokering ransomware payments and supporting threat actors.

Device Code Phishing Abuses Microsoft OAuth 2.0 Flow to Hijack User Tokens

Attackers are abusing Microsoft's OAuth 2.0 Device Authorization Grant, also known as Device Code Flow, to trick users into authorizing access to their accounts. In a campaign observed between early April and mid-May 2026, victims received emails that appeared to be legal notices, leading them through a fake "LawConnect" portal before redirecting them to Microsoft's legitimate sign-in page. After victims entered a one-time device code and completed multi-factor authentication, attackers captured access, refresh, and identity tokens, potentially allowing access to Microsoft 365 services such as Outlook, OneDrive, and Teams.

Telstra Investigates Software Defect Behind Nationwide Outage That Disrupted Emergency Calls

Telstra has attributed a nationwide outage in Australia to a software defect that disrupted time synchronization across parts of its network, affecting mobile calls and data services from around 4:30 a.m. on Wednesday. The outage also interrupted some Triple Zero emergency calls, EFTPOS transactions, regional train services, and other businesses relying on the network before services were fully restored later in the day. The company said the issue stemmed from a reset of a GPS time-synchronization node and that there is no evidence the disruption resulted from malicious activity.

CAI Cloud Worm Targets Developer Tools, Steals Credentials, and Removes Rival Malware

A newly identified cloud worm dubbed Cloud AI Infrastructure Attack Framework (CAI) is targeting cloud-native developer tools to steal credentials, deploy cryptocurrency miners, and establish persistent access on compromised systems. According to Hunt.io, the malware scans for exposed services including Docker, Kubernetes, Redis, and Ray Dashboards before using centralized command-and-control infrastructure to coordinate attacks across cloud environments. The framework also seeks out and terminates TeamPCP and PCPJack malware processes, allowing it to monopolize infected hosts instead of competing for access. The operator rapidly evolved the malware from testing to active deployment over several weeks, with command-and-control logs and cryptocurrency wallet activity indicating successful compromises. 

17 npm and PyPI Packages Found Typosquatting PaySafe, Skrill, and Neteller SDKs

Socket has uncovered 17 malicious packages published across npm and PyPI that impersonate PaySafe, Skrill, and Neteller SDKs to target developers using payment integrations. The campaign included 13 npm packages and four PyPI packages, with the npm packages reportedly identified as malware within minutes of publication. The fake packages harvest API keys, tokens, passwords, and other sensitive environment variables before exfiltrating them to attacker-controlled infrastructure hosted on AWS. They also check for sandbox and analysis environments before activating, helping the malware evade automated detection. 

O-UNC-066 Vishing Campaign Abuses Microsoft Entra Passkey Enrollment to Hijack Accounts

Okta Threat Intelligence has identified a vishing campaign by the threat group O-UNC-066, also known as Pink, that targets Microsoft 365 users by abusing Microsoft Entra passkey enrollment. Attackers impersonate trusted personnel over the phone and direct victims to a phishing page resembling Microsoft's legitimate passkey registration process while secretly enrolling an attacker-controlled passkey on the victim's account. The campaign has targeted organizations across industries including technology, healthcare, aviation, automotive, construction, and food and beverage since April 2026. Researchers also linked the operation to an operator-controlled PHP phishing panel that adapts to victims' multi-factor authentication methods in real time.

Kripos Monero Tracing Method Supports 28 Arrests Across Seven Countries in Dark Web CSAM Operation

Norway’s National Criminal Investigation Service, Kripos, said 28 men aged 22 to 54 were arrested in Norway, Sweden, Switzerland, Canada, the Czech Republic, Poland, and Germany during a coordinated operation conducted from late May to mid-June 2026. The suspects allegedly used Monero to pay for access to dark web forums containing child sexual abuse material, and investigators applied a tracing method developed in 2025 to identify transactions in specific cases. Authorities seized more than 460 items, including electronic devices, storage media, cryptocurrency wallets, illegal material, drugs, and doping substances. One suspect used AI to generate abusive content, while some identified victims were members of another suspect’s family. Three children encountered during searches in Norway received protective assistance. 

Italy Fines Character.AI Owner €158,000 Over Privacy and Child Protection Failures

Italy’s data protection authority, the Garante, fined Character Technologies €158,000 over how its Character.AI platform processes personal information and protects younger users. The regulator found that users were not given sufficiently clear information about data handling and that the service’s age-verification measures did not adequately prevent minors from accessing or repeatedly attempting to register for the platform. The company must ensure its age checks and cooling-off mechanism work effectively while making minors’ profiles private by default. Authorities also cited delays in completing a Data Protection Impact Assessment and appointing a representative in the European Union.

Mie Prefecture Bans Personal USB Drives After Malware Is Found on 47 Devices

Mie Prefecture has banned personal USB drives at prefectural government offices after malware was detected on 47 USB devices during an inspection of 10,757 drives across 322 departments, including government offices, public health centers, and schools. Investigators found that 29 infected drives contained malware linked to legacy email data retained during a 2023 email system migration, while another 18 became contaminated after being connected to external terminals. Fourteen of the affected drives belonged to employees, including four that had been used without the required supervisory approval, prompting the prefecture to end the use of personal USB devices entirely. Officials said the malware remained dormant, with no evidence of data theft or system compromise because automatic USB execution was blocked and real-time scanning was in place.

Most APAC Organizations Build AI Security on Fragmented Foundations

Organizations across APAC are accelerating AI adoption, but many still lack the operational foundations needed to support it, according to a Forrester study commissioned by Fortinet. The survey found respondents rely on multiple security products or only partially integrated environments, creating visibility gaps and slowing response efforts. Alert overload was the most commonly reported SOC challenge, with 48% of respondents saying it contributes to missed or delayed incident responses. Among organizations using fragmented environments, 61% expect to transition to fully unified security platforms over the next two years.

INTERPOL Operation First Light Arrests 5,811 and Intercepts $293 Million

Operation First Light 2026 led to a massive 5,811 arrests across 97 countries and territories. Authorities intercepted $293 million in illicit assets and identified more than 142,000 victims. The operation targeted social engineering scams, money laundering, scam centres, and business email compromise. Investigators also blocked 31,014 bank accounts and solved 23,715 cases. One case involved a fake Brazilian police station used to deceive victims during video calls.

Infostealer Infection Likely Enabled Argentine Football Association Data Breach

Hudson Rock said an infostealer infection on a software developer's computer was the likely entry point behind the Argentine Football Association breach. The firm said the malware stole administrator credentials months before the intrusion, giving attackers direct access to databases and internal systems. The stolen credentials also enabled the threat actor to send emails from legitimate AFA domains, increasing the impact of the incident. Dormant stolen credentials became a pathway to large-scale compromise because they remained undetected.

764 Offshoot Leader Sentenced to 40 Years for Child Exploitation Crimes

A U.S. court sentenced Alexis Aldair Chavez, leader of the 764 offshoot known as 8884, to 40 years in prison for sexually exploiting children. Prosecutors said he blackmailed victims into producing child sexual abuse material, self-harm, and other abusive acts. Chavez pleaded guilty in December 2025 after investigators linked him to an online extremist network that targets vulnerable children. The sentence comes as authorities continue pursuing alleged members and affiliates of the 764 collective.

Ransomware Negotiator Sentenced for Helping BlackCat Extort Victims

Angelo Martino was sentenced to 70 months in prison after admitting that he assisted BlackCat ransomware operators while working for a cyber incident response company. He shared confidential details about victims’ negotiating positions, helping the attackers press for higher payments. Martino also worked with two former cybersecurity professionals to deploy ransomware against other U.S. organizations, including one that paid about $1.2 million in Bitcoin. Authorities have seized more than $10 million in assets, including cryptocurrency, vehicles, a food truck, and a luxury fishing boat.

Beyond Breaches, When the Human Cost Runs Deeper

Attackers did not stop at fake schemes. They built fake police stations and turned to dormant stolen credentials to reach deeper into systems. They broadened supply chain attacks to reach developers, repurposed legitimate authentication features for social engineering, and used voice phishing to trick users into approving attacker actions. 

When criminals cross every boundary by exploiting children, including those within their families, security needs more than just defenders. The week showed that security needs more than defensive tools when technology, access, and people working within these systems turn rogue.


For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: