A wave of supply-chain attacks is slashing through trusted software channels, as Arch Linux AUR users face risk from over 1,500 tainted packages. Cyware spotlights how even routine updates can turn into a compromise, with malicious code targeting everyday developer tools and browsers.

Attackers are exploiting a critical flaw in Jenkins build servers, using insecure deserialization to inject code and tamper with automation pipelines. With active exploitation traced back to June 15, 2026, organizations must patch or risk losing control over their software releases.

The extortion group ShinyHunters is threatening to leak 297 GB of sensitive data from the Council of Europe, including payroll files and medical records. The breach exposes staff and contractors to identity fraud and lasting privacy harm if the data is released.

Top Malware Reported in the Last 24 Hours

MagicAd trojan slips into official stores

MagicAd is a trojan classified as Android.MagicAd.1, designed to force persistent advertisements on infected devices. MagicAd hides encrypted components inside native code and uses environment checks to evade detection, while abusing system apps to bypass Android restrictions and maintain background execution. MagicAd triggers itself through system apps such as Mi Browser and Amazon Fire TV Home Screen using “pending intent” commands on Xiaomi and Amazon devices, and leverages the Android Binder system on Vivo devices to initiate background ad activity. MagicAd infects users via more than 50 Android apps distributed through official marketplaces including Samsung Galaxy Store and Xiaomi’s GetApps. MagicAd targets Android users across multiple device brands, causing persistent unwanted ads and performance degradation. All identified apps have been removed from the stores, but affected users may still experience symptoms, as reported in the original alert.

Argamal RAT hides in hentai installers

Argamal is a newly discovered remote access Trojan (RAT) that grants attackers remote control and data theft capabilities on compromised machines. Argamal checks for monitoring tools before execution, downloads and decrypts its main module, and maintains command-and-control contact using UDP “heartbeat” messages. Argamal achieves persistence through COM hijacking, modifying registry settings tied to the Windows Color System Calibration Loader to survive reboots. Argamal is distributed via hentai game installers and avoids targeting users in China, with infections primarily in Russia, Brazil, Germany, and Vietnam. The campaign was detected in April 2026, and code analysis suggests Spanish-speaking operators, with hundreds of users affected.

Arch AUR malware wave taints packages

Arch Linux AUR has experienced a malware campaign that initially affected more than 1,500 packages, demonstrating the risks of community-driven software repositories. The malicious code was distributed across packages including Node.js, Plasma 6 applets, and Firefox, increasing the likelihood of widespread compromise. Arch Linux AUR malware uses sophisticated obfuscation targeting the Bun command, making detection during review more difficult. Arch Linux AUR users and teams relying on the repository face the risk of compromised workstations and developer environments, with potential exposure of personal and workplace data. The incident highlights the need for improved safeguards, verification processes, and user vigilance when installing packages.

Top Vulnerabilities Reported in Last 24 hours

Hackers exploit Jenkins servers via deserialization (CVE-2026-53435)

CVE-2026-53435 is a critical remote code execution vulnerability in Jenkins build servers. Successful exploitation allows attackers to run arbitrary code, tamper with build pipelines, inject malicious code into software releases, or access stored credentials. CVE-2026-53435 is being actively exploited in the wild, with activity observed since June 15, 2026. The vulnerability was identified through automated scanning and telemetry showing unusual POST traffic and suspicious config.xml changes. A fix is available via vendor patches or workarounds, and all Jenkins servers processing config.xml files are at risk until updated.

Spring AI SQL injection breaks policy controls (CVE-2026-47835)

CVE-2026-47835 is a critical SQL injection and security policy bypass vulnerability in Spring AI. Exploitation could allow attackers to alter database queries and bypass application safeguards, exposing sensitive data. No active exploitation has been reported in the advisory. CERT-FR warns that CVE-2026-47835 affects Spring AI versions 1.0.x before 1.0.9 and 1.1.x before 1.1.8. The issue was disclosed by CERT-FR, and a fix is available in the patched releases, with all unpatched deployments at risk.

Wazuh flaw lets attackers erase evidence (GHSA-ff9g-85jq-r3g3, CVSS 10.0)

GHSA-ff9g-85jq-r3g3 is a vulnerability in Wazuh Manager with a CVSS score of 10.0. Successful exploitation allows unauthenticated attackers to alter alerts and delete logs, undermining incident telemetry. No active exploitation has been observed. The vulnerability stems from insufficient validation of agent-controlled input in the inventory_sync module, enabling arbitrary OpenSearch operations. The issue was disclosed in the provided write-up, and a fix is available in Wazuh Manager 5.0.0-beta3, with multi-tenant environments facing amplified risk until patched.

Top Threat Actors Reported in Last 24 hours

ShinyHunters threatens Council of Europe leak

ShinyHunters is an extortion group of suspected origin, active since mid-2025, with a primary motive of data theft and extortion. ShinyHunters claims to have breached the Council of Europe and threatens to publish 297 GB of stolen data, including payroll files, CVs, contracts, and sensitive personal records. ShinyHunters describes the breach as spanning HR, the Secretariat, the Parliamentary Assembly, and the European Directorate for the Quality of Medicines & HealthCare. ShinyHunters targets staff and contractors, exposing them to identity fraud and privacy harm if the data is leaked. The group references prior high-profile victims and recent exploitation of a zero-day in Oracle PeopleSoft, with the Council of Europe not publicly acknowledging the incident.

Pink extortion crew scales MFA-bypass phishing

Pink Data Extortion Group (potentially a rebrand of BlackFile/Redact) is an extortion-focused crew of suspected origin, affiliated with the Com network and targeting high-value US sectors. Pink Data Extortion Group uses voice phishing and phishing kits to capture credentials in Okta and Microsoft Entra ID environments, aiming to bypass MFA and steal data. Pink Data Extortion Group employs MITRE ATT&CK techniques T1591, T1583.001, and T1566.002, combining target research, infrastructure setup, and phishing delivery. Pink Data Extortion Group targets healthcare, technology, and financial services organizations, where a single impersonation of “IT support” can enable account takeover and extortion. Researchers note kit-level evasion tactics such as hardware/VM fingerprinting, headless browser detection, network/ASN filtering, and hosting via Cloudflare and DDoS-Guard.

Exposed malware panel reveals OPSEC failures

A PHP-based malware distribution platform of suspected criminal origin was discovered in a misconfigured state, with a primary motive of facilitating malware delivery. The platform exposed an unlocked installation page, allowing reinstallation and backend access that could be used to interfere with or observe malware operations. The platform uses weak session management, allowing previously issued session cookies to remain valid after backend recovery. The platform targets victims through multi-stage redirect chains, including Google Colab-hosted pages, to disguise the source of malicious content. Investigators found the interface was originally in Russian, and the platform’s OPSEC failures highlight how backend misconfigurations can expose criminal infrastructure.

Frequently Asked Questions

1. What is MagicAd? MagicAd (tracked as Android.MagicAd.1) has been found embedded in more than 50 Android apps published through official marketplaces including Samsung Galaxy Store and Xiaomi’s GetApps, where it quietly forces ads to appear even after the user closes the app. It hides encrypted components inside native code, then uses environment checks to dodge scrutiny and abuses system apps to bypass Android restrictions so it can keep running in the background.

2. What is Argamal? Argamal is a newly discovered remote access Trojan (RAT) planted inside hentai game installers, giving attackers remote control of infected machines and the ability to steal data. It checks for monitoring tools before proceeding, then pulls down and decrypts its main module, and it maintains contact using UDP “heartbeat” messages to its command-and-control infrastructure.

3. What is Arch Linux AUR? Arch Linux AUR has been hit by another wave of malware activity that initially affected more than 1,500 packages, showing how quickly a community software repository can become a supply-chain hazard. The malicious code was found across a wide mix of packages including Node.js, Plasma 6 applets, and Firefox, increasing the odds that everyday installs could pull in a poisoned build.

4. What is CVE-2026-53435? A critical remote code execution bug in Jenkins (CVE-2026-53435) is being actively exploited, giving attackers a way to run arbitrary code on vulnerable build servers. The weakness sits in insecure deserialization during config.xml processing, which can let an intruder tamper with build pipelines, inject malicious code into software releases, or reach stored credentials used by automation.

5. What is CVE-2026-47835? A critical flaw in Spring AI (CVE-2026-47835) enables SQL injection and a security policy bypass, potentially exposing sensitive data and undermining application safeguards. In practical terms, an attacker who can reach a vulnerable endpoint may be able to feed crafted input that alters database queries and sidesteps the guardrails developers expect to be enforced.

6. What is ShinyHunters? ShinyHunters, an extortion group active since mid-2025, has claimed a breach of the Council of Europe and is threatening to publish 297 GB of stolen data. They say the haul includes payroll files, CVs, contracts, and deeply sensitive personal records such as IDs, addresses, tax and social security details, and even medical information.

7. What is Pink Data Extortion Group? The Pink Data Extortion Group (potentially a rebrand of BlackFile/Redact) is described as an extortion-focused crew affiliated with the Com network and aimed at high-value US sectors. They use voice phishing and phishing kits built to capture credentials in Okta and Microsoft Entra ID environments, with the goal of bypassing MFA and stealing data.