In this week’s news: Previously harmless Google API keys now expose Gemini AI data, ClawJacked Vulnerability in OpenClaw Could Let Websites Hijack AI Agents, NOTFOUND and AKATSUKI CYBER TEAM have officially announced a new alliance, IDExpert Windows Logon Agent has a Remote Code Execution vulnerability, Cisco says hackers have been exploiting a critical bug to break into big customer networks since 2023, SolarWinds Hands Hackers The Master Keys,Claude code abused to steal 150GB in cyberattack on Mexican agencies, Microsoft warns of RAT delivered through trojanized gaming utilities and APT37 hackers use new malware to breach air-gapped networks

Subscribe to this newsletter

Check out our blog

Google API keys for services like Maps embedded in accessible client-side code could be used to authenticate to the Gemini AI assistant and access private data. Researchers found nearly 3,000 such keys while scanning internet pages from organizations in various sectors, and even from Google. The problem occurred when Google introduced its Gemini assistant, and developers started enabling the LLM API in projects. Before this, Google Cloud API keys were not considered sensitive data and could be exposed online without risk.
https://www.bleepingcomputer.com/news/security/previously-harmless-google-api-keys-now-expose-gemini-ai-data/

North Korean hackers are deploying newly uncovered tools to move data between internet-connected and air-gapped systems, spread via removable drives, and conduct covert surveillance. The malicious campaign has been named Ruby Jumper and is attributed to the state-backed group APT37, also known as ScarCruft, Ricochet Chollima, and InkySquid.
https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/

Cisco identified a critical vulnerability with a maximum severity score of 10.0 in its Catalyst SD-WAN products used by large enterprises and government agencies. Hackers have exploited this bug for at least three years, with evidence of exploitation traced back to 2023. The vulnerability allows remote attackers to gain the highest level of permissions on affected devices and establish persistent hidden access within victim networks.
https://briefly.co/anchor/Information_security/story/cisco-says-hackers-have-been-exploiting-a-critical-bug-to-break-into-big-customer-networks-since-2023---databreachesnet

SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine.
https://www.sentinelone.com/vulnerability-database/cve-2024-28986/

Oasis Security researchers have found a critical ClawJacked vulnerability in OpenClaw that allows hackers to hijack AI agents through a simple browser tab.
https://www.oasis.security/blog/openclaw-vulnerability

Hackers abused Claude Code to build exploits and steal 150GB of data in a cyberattack targeting Mexican government systems.
https://securityaffairs.com/188696/ai/claude-code-abused-to-steal-150gb-in-cyberattack-on-mexican-agencies.html

Microsoft Defender researchers uncovered a campaign that lured users into running trojanized gaming utilities (Xeno.exe or RobloxPlayerBeta.exe) distributed through browsers and chat platforms, leading to the deployment of a remote access trojan (RAT)
https://securityaffairs.com/188639/malware/microsoft-warns-of-rat-delivered-through-trojanized-gaming-utilities.html

Someone jumped at the opportunity to steal $4.4 million in crypto assets after South Korea’s National Tax Service exposed publicly the mnemonic recovery phrase of a seized cryptocurrency wallet. The funds were stored in a Ledger cold wallet seized in law enforcement raids at 124 high-value tax evaders that resulted in confiscating digital assets worth 8.1 billion won (currently approximately $5.6 million).
https://www.bleepingcomputer.com/news/security/48m-in-crypto-stolen-after-korean-tax-agency-exposes-wallet-seed/

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released new details about RESURGE, a malicious implant used in zero-day attacks exploiting CVE-2025-0282 to breach Ivanti Connect Secure devices. The update focuses on the implant's undetected latency on the appliances and its "sophisticated network-level evasion and authentication techniques" that enable covert communication with the attacker.
https://www.bleepingcomputer.com/news/security/cisa-warns-that-resurge-malware-can-be-dormant-on-ivanti-devices/

CVE-2026-3000, remote code execution (RCE) vulnerability identified in the IDExpert Windows Logon Agent developed by Changing, specifically affecting version 2.7.3.230719. The vulnerability arises from CWE-494, which involves the download of code without performing integrity checks. This means the logon agent can be coerced by an unauthenticated remote attacker to download arbitrary DLL files from a remote server and execute them on the victim system.
https://radar.offseq.com/threat/cve-2026-3000-cwe-494-download-of-code-without-int-6f96a540

Aeternum botnet uses Polygon blockchain smart contracts for C&C, making its infrastructure harder to detect and disrupt.By decentralizing its C2, the malware avoids traditional server-based takedowns and becomes far harder to disrupt or shut down, significantly increasing its resilience and persistence in the wild.
https://securityaffairs.com/188627/mobile-2/aeternum-botnet-hides-commands-in-polygon-smart-contracts.html

A Chrome extension named "QuickLens - Search Screen with Google Lens" has been removed from the Chrome Web Store after it was compromised to push malware and attempt to steal crypto from thousands of users.
https://www.bleepingcomputer.com/news/security/quicklens-chrome-extension-steals-crypto-shows-clickfix-attack/

A data breach at Canadian Tire exposed personal data from over 38 million accounts, including contact details and encrypted passwords.
https://securityaffairs.com/188659/data-breach/canadian-tire-2025-data-breach-impacts-38-million-users.html

Hundreds of Sangoma FreePBX instances are still infected with web shells following attacks that began in December 2025. Sangoma FreePBX is an open-source, web-based platform for managing Asterisk-powered VoIP phone systems. Maintained by Sangoma Technologies, it allows businesses to configure extensions, call routing, voicemail, IVR menus, and SIP trunks through an easy-to-use interface.
https://securityaffairs.com/188679/uncategorized/cve-2025-64328-exploitation-impacts-900-sangoma-freepbx-instances.html

A new hacktivist alliance has formed between two groups, NOTFOUND and AKATSUKI CYBER TEAM

A yearlong Europol-coordinated operation dubbed "Project Compass" has led to 30 arrests and 179 suspects being tied to "The Com," an online cybercrime collective that targets children and teenagers. In a press release issued on Thursday, Europol said that investigators identified 62 victims and directly safeguarded four of them from the group's attacks.
https://www.bleepingcomputer.com/news/security/police-crackdown-on-the-com-cybercrime-gang-leads-to-30-arrests/

A Ukrainian man has pleaded guilty to operating OnlyFake, an AI-powered website that generated and sold more than 10,000 photos of fake identification documents to customers worldwide. 27-year-old Yurii Nazarenko (also known as "John Wick," "Tor Ford," and "Uriel Septimberus") admitted that his OnlyFake subscription-based platform used artificial intelligence to generate realistic-looking counterfeit passports, driver's licenses, and Social Security cards.
https://www.bleepingcomputer.com/news/security/ukrainian-man-pleads-guilty-to-running-ai-powered-fake-id-site/

Juniper released an emergency patch for Junos OS Evolved to fix CVE-2026-21902, a critical RCE flaw affecting PTX routers.
https://securityaffairs.com/188609/security/juniper-issues-emergency-patch-for-critical-ptx-router-rce.html