19-Year-Old Scattered Spider Suspect Extradited to Face U.S. Hacking Charges
Peter Stokes, a 19-year-old dual U.S.-Estonian citizen accused of belonging to the prolific Scattered Spider hacking group, was extradited from Finland and made his first Chicago federal court appearance this week on charges of conspiracy, computer intrusion, and fraud. Prosecutors say Scattered Spider has been tied to more than 100 network intrusions generating over $100 million in ransom payments, and that Stokes specifically breached a luxury jewelry retailer last May, demanding $8 million in cryptocurrency before the company’s security team expelled the intruders, though it still absorbed roughly $2 million in disruption and recovery costs.
Progress Kemp LoadMaster Pre-Auth RCE Flaw Faces Active Exploitation Attempts
A critical OS command injection vulnerability in Progress Kemp LoadMaster, tracked as CVE-2026-8037 with a CVSS score of 9.6, is now being actively targeted by attackers after exploitation attempts began on June 29. The flaw stems from a function that fails to properly null-terminate sanitized input, creating an out-of-bounds heap read that lets an unauthenticated attacker send crafted requests to run arbitrary commands on affected load balancer appliances; administrators are urged to patch immediately given that a proof-of-concept exploit is now circulating.
Hackers breached DHS information-sharing network, people familiar say
An unknown threat actor accessed the Homeland Security Information Network, a platform used by federal, state, local, and private-sector partners to share sensitive but unclassified information, sometime between late May and early June. Investigators targeted HSIN servers and a linked SharePoint collaboration system, and while DHS says classified networks were unaffected and the platform remains operational, the timing has raised concern given the department’s role coordinating security for World Cup events currently underway across the country.
Sandbox bypass flaws in Cursor IDE highlight prompt injection as an RCE vector
Researchers at Cato Networks disclosed two vulnerabilities, dubbed DuneSlide and tracked as CVE-2026-50548 and CVE-2026-50549, that let a prompt injection delivered through an MCP server or poisoned web result trick the Cursor AI coding assistant into escaping its command execution sandbox and achieving full remote code execution with no user interaction required. The flaws exploited a parameter that let attackers redirect file operations outside the project directory and a symlink-resolution fallback that bypassed path restrictions; both were patched in Cursor 3.0, but researchers say similar isolation-layer weaknesses likely exist across other AI-assisted coding tools.
ScreenConnect abused to deploy AsyncRAT in widespread campaign
Kaspersky identified a large, multi-language campaign using more than 90 spoofed domains to distribute installers disguised as popular software like OBS Studio and Bandicam, which sideload a rogue library to silently deploy the ScreenConnect remote access tool. From there a PowerShell script disables Defender protections and User Account Control before extracting and launching the AsyncRAT trojan via process hollowing, giving attackers covert remote control, data theft, and screen-recording capability, with persistence maintained through a scheduled task that restarts the chain every two minutes and after reboots.