SecurityWeek’s weekly cybersecurity news roundup provides a concise overview of important developments that may not receive full standalone coverage but remain relevant to the broader threat landscape. This curated summary highlights key stories across vulnerability disclosures, emerging attack methods, policy updates, industry reports, and other noteworthy events to help readers maintain a well-rounded awareness of the evolving cybersecurity environment.
Trump Mobile Data Breach
Phone provider Trump Mobile has confirmed that customers’ names, addresses, email addresses, phone numbers, and other personal data was exposed to the internet. The company reportedly stated that a third-party platform provider was responsible for the exposure. The breach underscores the risks associated with third-party integrations in mobile service providers. Trump Mobile, which markets itself as a conservative alternative to mainstream carriers, has not disclosed the number of affected customers. Data breaches of this nature can lead to identity theft, phishing attacks, and social engineering campaigns targeting subscribers. Cybersecurity experts recommend that affected users monitor their accounts for suspicious activity and enable multi-factor authentication wherever possible. The incident also highlights the importance of vendor risk management and the need for companies to regularly audit their third-party partners’ security posture.
Russian Hackers’ Deep Reach in Treasury Emails
Documents presented in a Freedom of Information Act lawsuit filed by Bloomberg News against the US government show that the Russian state-sponsored APT responsible for the 2019-2020 SolarWinds supply chain attack had deep access to Treasury emails. The hackers reportedly focused on only eight email accounts linked to 300 other email addresses. The Treasury had roughly 94,000 people at the time. This targeted approach indicates a sophisticated reconnaissance effort, likely aimed at specific high-value information. The SolarWinds attack, attributed to Russia’s SVR foreign intelligence service, compromised multiple federal agencies and private sector organizations through a trojanized update of Orion software. The Treasury breach demonstrates the persistent threat of state-sponsored cyber espionage and the long tail of supply chain compromises. It also raises questions about the effectiveness of post-breach remediation and the depth of access achieved by adversaries.
VS Code Remote SSH Extension Vulnerability
A remote code execution (RCE) vulnerability in the Visual Studio Code (VS Code) Remote‑SSH extension could allow attackers to pivot to remote systems, security researcher Suman Kumar Chakraborty warns. The issue exists because, upon initiating a Remote SSH connection, the extension writes a bootstrap shell script to the Temp directory. An attacker with access to the system can modify the script before it is transmitted and executed on the remote server, to deploy a reverse shell. This flaw affects developers who use VS Code for remote development, a common practice in DevOps and cloud engineering. If exploited, an attacker could gain persistent access to remote servers, potentially leading to data theft, lateral movement, and further compromise. Microsoft has not yet released a patch, and users are advised to review their local system permissions and consider using alternative remote development methods until a fix is available.
UK Visa Portal Exposes Over 100,000 Documents
Immigration portal UK Visa Portal publicly exposed over 100,000 documents of people who applied for a UK visa, TechCrunch reports. Not affiliated with the UK government, the website requires applicants to upload selfies and passports, and to pay a fee for obtaining visas. The exposed files were stored in an AWS S3 bucket and were secured earlier this week. The exposed data includes personal identification documents, which could be used for identity fraud, loan applications, and other criminal activities. The incident highlights the risks of third-party visa processing services that lack adequate security controls. Applicants who used the portal are advised to monitor their credit reports and watch for phishing attempts that may reference their visa application status. The UK government has distanced itself from the portal, but the damage to affected individuals may already be done.
LinkedIn Phishing Campaign Abuses Adobe Target
Phishers are posing as LinkedIn in a new phishing campaign posing as a business inquiry. The emails contain fake contract attachments masquerading as PDFs. In fact, they are HTML files directing victims to the Adobe Target A/B testing platform. The attackers are abusing Adobe Target to track users and serve them fake login pages to steal their credentials before redirecting them to LinkedIn. This technique uses a legitimate marketing platform to evade security filters and increase the credibility of the attack. Adobe Target allows A/B testing and personalization, but attackers exploit its tracking capabilities to monitor user behavior and serve malicious content dynamically. The campaign targets professionals who frequently use LinkedIn for business networking, making it likely that victims will enter their credentials on the fake login page. Users are advised to verify any unsolicited business inquiries through alternative channels and to check the URL carefully before entering login information.
2026 FIFA World Cup in Attackers’ Crosshairs
Just as the 2026 FIFA World Cup is about to kick off, Group-IB has discovered over 4,300 fraudulent domains impersonating FIFA, including a sophisticated phishing campaign run by Chinese-speaking hacking group Ghost Stadium. The threat actor has set up over 300 domains, including a pixel-perfect clone of the legitimate FIFA site. The phishers could cause hundreds of millions of dollars in losses. The campaign targets fans looking for tickets, merchandise, and travel arrangements. Global sporting events are prime targets for cybercriminals due to the high volume of online transactions and the emotional investment of fans. Ghost Stadium’s tactics include domain squatting, typosquatting, and social engineering to trick users into entering payment information and personal data. Organizations involved in the World Cup are urged to implement strict domain monitoring and educate fans about the risks of unofficial websites. The scale of this operation highlights the need for proactive threat intelligence during major events.
Veeam, Notepad++, Roundcube Patches
Veeam this week resolved two high-severity vulnerabilities in its Backup & Replication product, warning they could lead to privilege escalation and arbitrary file writes. Notepad++ patched three security issues, including two leading to arbitrary code execution. The latest Roundcube security updates fix eight flaws, including unauthenticated SQL injection and arbitrary file delete bugs. These patches are critical for organizations relying on Veeam for data backup and recovery, as exploitation could allow attackers to disrupt backup processes or gain unauthorized access to sensitive data. Notepad++ remains a widely used text editor, and its vulnerabilities could be exploited via malicious files. Roundcube, an open-source webmail client, is used by many hosting providers and enterprises; the SQL injection vulnerability could allow attackers to extract email contents or modify database records. Administrators are advised to apply the latest updates immediately and test their systems for compatibility issues after patching.
CISA Responds to Recent Supply Chain Attacks
The US cybersecurity agency CISA has expanded its KEV catalog with three vulnerabilities describing recent software supply chain attacks. These include Daemon Tools Lite, TanStack, and Nx Console (which led to the 3,800 internal GitHub repositories hack). CISA also issued an alert on the Megalodon and Nx Console attacks, urging organizations to hunt for and remediate potential compromises. NPM invalidated granular access tokens in response to these attacks. The inclusion of these vulnerabilities in the Known Exploited Vulnerabilities catalog means that federal civilian agencies must patch them by a specific deadline. However, CISA’s alert applies to all organizations, not just government entities. The Nx Console attack demonstrated how compromised developer tools can lead to widespread code repository contamination. Organizations are encouraged to review their software supply chain, rotate secrets, and implement strict access controls for CI/CD pipelines.
Supply Chain Attack Hits 176 NPM Packages
Sonatype warns of a supply chain attack involving 176 malicious NPM packages containing postinstall scripts designed to install information-stealing malware on the victims’ computers. The malware harvests and exfiltrates credentials, system and directory information, environment variables, CI/CD secrets, and other tokens and sensitive information. All malicious packages have the version number 99.99.99. This attack targets JavaScript developers who use npm for package management. The use of postinstall scripts allows the malware to execute automatically upon installation, making it difficult to detect. The packages were likely uploaded as part of a typosquatting or dependency confusion campaign. Developers are advised to review their package.json files, verify package integrity using checksums, and consider using private registries or sandboxed environments for testing. Sonatype has published a list of the malicious package names, and users are urged to remove them immediately.
Contractor Jailed for Hacking Former Employer
Maxwell Schultz, 36, of Columbus, Ohio, was sentenced to 24 months in federal prison for hacking into his employer’s network after his contract was terminated in May 2021. Impersonating another contractor, he obtained login credentials, accessed the former employer’s systems, and executed a script that reset roughly 2,500 passwords, locking out employees and contractors and causing more than $862,000 in losses. Schultz pleaded guilty in November 2025. This case underscores the insider threat posed by disgruntled contractors with knowledge of the network architecture and access procedures. The sentence reflects the severity of the financial impact and the deliberate nature of the attack. Organizations should implement proper offboarding procedures, including immediate revocation of all credentials, monitoring for unauthorized access attempts, and conducting exit interviews to manage potential retaliation risks. The incident also highlights the need for robust logging and detection mechanisms to identify anomalous behavior.
Source: SecurityWeek News