BrowserGate: Microsoft LinkedIn's Hidden JavaScript Scripts Expose Browser Extensions and Device Data

Since mid-2025, the China-aligned threat actor TA416 has resumed targeting European government and diplomatic organizations after a two-year lull. The group employs spear-phishing, exploits Microsoft Office vulnerabilities, and uses multi-stage malware to conduct espionage. Detection and defense require patch management, email filtering, and endpoint monitoring.

Microsoft Defender researchers uncovered a method where PHP web shells on Linux servers use HTTP cookies as covert channels for remote code execution. This technique bypasses traditional detection methods, enabling stealthy attacks that complicate incident response.

Organizations have disclosed breaches stemming from TeamPCP's supply chain compromise, with threat actors ShinyHunters and Lapsus$ claiming involvement. These attacks exposed sensitive data through injected malicious code in software updates, affecting numerous enterprises. Affected users should audit software integrity, reset credentials, and enable multi-factor authentication.

A water treatment facility was hit by ransomware exploiting a CVE-2023-34362 vulnerability, resulting in data encryption and leakage. Concurrently, a ChatGPT data leak exposed user logs, and a new Android rootkit exploiting CVE-2024-21045 was discovered. Additional security updates and FBI incident classifications were reported.

North Korean APT group UNC1069 targeted the Axios npm package via a tailored social engineering attack against its maintainer. The campaign aimed to insert malicious code into this critical open-source library, posing risks to global software supply chains. Detection methods include MFA, cryptographic signing, and vigilant monitoring of package updates.

The mobile attack surface is expanding as shadow AI embedded in applications, outdated devices, and zero-click exploits converge to create new security risks. Enterprises must update devices, monitor AI components, and strengthen detection to mitigate these threats.

Microsoft has begun force-upgrading unmanaged Windows 11 24H2 Home and Pro devices to version 25H2 to address critical vulnerabilities including CVE-2023-28252. Unmanaged devices not enrolled in enterprise management tools will be automatically updated starting June 2024. Organizations should audit unmanaged endpoints and enforce patch management to maintain security compliance.

RSAC 2026 surfaced AI-assisted attack tooling, enforcement of EU NIS2 and the incoming EU AI Act, and structural shifts in U.S. and allied cyber leadership as the defining issues for security practitioners. SOC teams and CISOs face active NIS2 enforcement since October 2024, EU AI Act high-risk system deadlines in August 2026, and ongoing CISA KEV remediation obligations. Organizations must audit AI product compliance, validate vulnerability remediation workflows, and document NIS2 risk management measures now.

Cisco Talos has attributed a large-scale credential harvesting operation to a tracked threat cluster exploiting the React2Shell vulnerability to steal AWS secrets, SSH keys, GitHub tokens, Stripe API keys, database credentials, and shell history at scale. The campaign used automated post-exploitation tooling to sweep compromised systems for secrets across multiple credential categories simultaneously. Affected organizations should immediately patch React2Shell, rotate all exposed secrets, and review cloud and source control access logs using IOCs published by Talos.

The SEC's cybersecurity disclosure rule requires public companies to report material incidents on Form 8-K within four business days of a materiality determination, and to disclose risk management programs and board oversight annually in 10-K filings. Large accelerated filers have been subject to incident reporting requirements since December 18, 2023, with enforcement precedent already set through the SEC's fraud charges against SolarWinds and CISO Timothy Brown. Security teams must build materiality determination workflows, align IR playbooks to disclosure triggers, and ensure 10-K disclosures accurately reflect internal security posture.

Drift Protocol, a Solana-based decentralized perpetuals exchange, lost at least $280 million after an attacker compromised the signing keys of its Security Council multisig and used administrative privileges to drain protocol-controlled vaults. The attack targeted the governance layer rather than a smart contract vulnerability, exploiting insufficient key management practices among Security Council signers. Affected users should withdraw remaining funds, revoke token approvals, and avoid unofficial recovery contracts.