Field notes from the edge.
What our engineers learned this week. Hands-on technical deep-dives, postmortems, and strategy frameworks.
ThreatsDay Bulletin: Claude Chat Abuse, NastyC2 npm Packages, Device-Code Phishing + 25 More Stories
The internet did not break this week. It got used exactly as designed, which is worse. Searches were siphoned through shady browser add-ons. AI chat links turned into malware delivery paths. macOS attacks ran in memory and left almost nothing behind. Cloud agents looked like helpers until attackers treated them like open shells. Add exposed edge gear, poisoned packages, cash co
INC Ransomware Emerges as Major RaaS Threat in 2026 with 830+ Victims Since 2023
Cybersecurity researchers have charted the evolution of INC from an nascent ransomware-as-a-service (RaaS) operation to one of the most prolific cybercrime groups in 2026, claiming no less than 830 victims since August 2023. "The disruption of LockBit and the shutdown of BlackCat created opportunities for INC to expand as affiliates migrated to alternative ransomware operations
Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2
Microsoft has disclosed details of a Windows-based cryptocurrency clipper campaign that has targeted users since February 2026. "The clipper in this campaign relies on Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2 [command-and-control] server," the Microsoft Defender Security Research Team said in an analysis published T
DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic
Threat actors associated with the DragonForce ransomware have been observed using a custom Go-based remote access trojan (RAT) called Backdoor.Turn to conceal command-and-control (C2) traffic inside Microsoft Teams relay infrastructure. According to findings from Broadcom-owned Symantec and Carbon Black, the backdoor was deployed against a major U.S. services firm. The name of
Heart Monitoring Device Manufacturer Discloses Cyberattack; Data Breach
iRhythm Holdings Inc., a publicly traded heart monitoring device manufacturer, has notified the U.S. Securities and Exchange Commission (SEC) about a cybersecurity incident that was first identified on June 8, 2026. According to the SEC filing, iRhythm identified unauthorized access to certain business applications that are hosted on a third-party platform. The company activate
Orphaned AI Agents: How to Find Hidden Access Risks Inside Your Network
If an autonomous AI agent interacts with your company's core intellectual property today, can your security team instantly name the person who authorized it? For most enterprises, the answer is a simple no. The rush to adopt internal AI tools has left a massive trail of administrative debt: orphaned agents (AI tools left running after their creator leaves the company) and stand
Get Out of Security Debt by Tackling the Exposure Problem
Teams digging out of security debt need to answer only two simple questions: Which vulnerabilities in our systems are exposed, and how long should they stay that way?
Celebrating 12 years of Project Galileo
Twelve years ago this month, Cloudflare launched an ambitious project built on a simple idea: people shouldn’t be knocked offline just because someone more powerful disagrees with them. Today, Project Galileo provides free access to cybersecurity services to more than 3,400 websites belonging to journalists, human rights defenders, and other nonprofit organizations in 120 count
The Scripts on Your Checkout Page Are Now a PCI DSS Problem
An independent PCI assessor tested Reflectiz against the new PCI DSS rules. Here is the verdict: See the full QSA assessment here → When a customer types their card number into your checkout, their browser is running far more than your code. Analytics tags, a tag manager, a support widget, a payment iframe: a modern checkout loads dozens of third-party scripts, and any one of t
Embedding Forbidden Text in Spyware to Discourage AI Analysis
At least one malware developer is adding text about nuclear and biological weapons to their spyware, in an effort to stop automatic AI analysis. Details : The _index.js payload begins with a large JavaScript block comment containing fake system instructions and policy-triggering content. Because it is inside a comment, it does not affect JavaScript execution. The runtime skips
HIPAA Training for Medical Spas
Medical spas that qualify as HIPAA-Covered Entities must provide all members of their workforce with HIPAA training that covers both the foundational requirements of the HIPAA Privacy Rule , the HIPAA Security Rule , and the HIPAA Breach Notification Rule , the specific compliance challenges that arise from working in a medical spa environment, and finally the internal policies
Oracle support timelines for Fusion Middleware tighter than expected
Oracle has shocked its customers by releasing new end-of-life conditions for its middleware products that thousands of large organizations rely on in their enterprise application deployments. In a missive published online earlier this month, Big Red warned that support for the widely used Oracle Fusion Middleware 12c Release 2 was approaching a “critical milestone.” Top-level P
Compliancy Group Acquires Healthicity
Compliancy Group has acquired Healthicity in a deal that combines two healthcare compliance software companies and expands Compliancy Group’s platform to include healthcare compliance, workforce compliance, risk assessment, third-party risk management, incident management, provider auditing, coding auditing, and documentation auditing. The acquisition was announced on June 17,
HIPAA Compliance for Medical Spas
Medical spas that collect health histories, administer injectable treatments, perform laser procedures, or operate under the supervision of a licensed physician are HIPAA-Covered Entities and must comply in full with the HIPAA Privacy Rule , the HIPAA Security Rule , and the HIPAA Breach Notification Rule . This compliance obligation applies regardless of whether the facility d
EU Gets a Head Start in Developing 6G Network Security
"Shield-6G" will combine AI threat detection, digital twins, honeypots, and more, to help carriers protect 6G networks against the threats of tomorrow.
AIBringing more agent harnesses and frameworks to Cloudflare, starting with Flue
Cloudflare is launching its Agents SDK as a foundational platform layer for production-grade AI agents, addressing distributed systems challenges like durable execution, state management, and secure code execution. The company introduces Flue, an open-source agent framework built on the Pi harness, which offers a declarative approach to building agents with built-in integrations for enterprise too
AIGit good with Epic Games' new open source VCS, Lore
Epic Games has open-sourced Lore, a centralized version control system originally developed as Unreal Revision Control for internal use and Fortnite development. Unlike Git and other VCS solutions, Lore treats binary files and text files as equals, making it purpose-built for game developers and other teams working with large binary assets alongside code. The system is released under the permissiv
AIINC Ransomware Thrives by Mastering the Basics
INC ransomware group has achieved success by focusing on fundamental attack strategies rather than sophisticated techniques. The group strategically targets sectors like healthcare where operational disruptions create urgent pressure to pay ransoms quickly, maximizing their likelihood of payment.
AIMicrosoft Confirms RoguePlanet Defender Zero-Day, Says Patch is in Development
Microsoft has officially acknowledged a zero-day vulnerability in Microsoft Defender, designated CVE-2026-50656 with a CVSS score of 7.8. The flaw, codenamed RoguePlanet, is a privilege escalation vulnerability affecting the Microsoft Malware Protection Engine, and Microsoft is actively developing a patch to address it.