Malware Activity
Fake Repositories and Social Engineering Attacks
Recent cybersecurity incidents highlight the growing sophistication of cybercriminals targeting developers and organizations. One attack involved creating fake coding projects on trusted platforms like GitHub, designed to trick developers into running malicious scripts that give hackers remote control over their machines, risking data theft and network breaches. Meanwhile, a Russian-linked group known as UAC-0050 or Mercenary Akula has targeted European financial institutions with convincing fake emails impersonating Ukrainian courts, leading to malware infections that grant remote access. These tactics, blending social engineering and stealthy malware delivery, show the increasing use of deception to infiltrate sensitive systems. Experts advise organizations and developers to be vigilant, adopt strong security practices, and monitor suspicious activity to defend against these complex threats that threaten both individual users and critical institutions. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
BleepingComputer: Fake Next.js Job Interview Tests Backdoor Developer’s Devices article
Threat Actor Activity
New Phishing Operation Targeting Freight, Cargo, and Logistics Industries in US, Europe
The Diesel Vortex group, a financially motivated threat actor, has been targeting freight and logistics operators in the U.S. and Europe using phishing attacks across fifty-two (52) domains since September 2025. This campaign resulted in the theft of 1,649 unique credentials from key industry platforms such as DAT Truckstop and Penske Logistics. The group’s phishing infrastructure was designed to mimic logistics platforms, capturing sensitive data like credentials, PINs, and two-factor authentication codes. They employed techniques like voice phishing (vishing) and Telegram channel infiltration, using Cyrillic homoglyphs to evade security filters. Researchers from Have I Been Squatted uncovered the operation through an exposed repository containing a phishing project database and Telegram logs. Analysis revealed that Diesel Vortex, likely Armenian speaking with Russian ties, operated a sophisticated criminal enterprise complete with a call center and mail support. The operation involved freight impersonation, mailbox compromise, and double-brokering, where stolen carrier identities were used to divert cargo. The infrastructure supporting Diesel Vortex was dismantled following a coordinated effort by GitLab, Cloudflare, Google Threat Intelligence Group, and others. The operation’s ties to Russian companies were established through domain registration data and corporate filings. The campaign highlights the growing threat of cargo theft increasing in the digital logistics sector, with estimated annual losses around $35 billion. The U.S. is responding with legislative measures like the “Combatting Organized Retail Crime Act of 2025” to address cargo theft and related crimes.
Bleeping Computer: Diesel Vortex Article
The Record: Diesel Vortex Article
Vulnerabilities
Configuration-Based Flaws in Anthropic Claude Code Enable RCE and API Key Exfiltration
Researchers from Check Point have disclosed multiple vulnerabilities in Anthropic’s Claude Code AI coding assistant that could allow remote code execution (RCE) and theft of sensitive API credentials when developers open untrusted repositories. The issues stem from configuration abuse involving Hooks, Model Context Protocol (MCP) servers, and environment variables, enabling attackers to execute arbitrary shell commands and exfiltrate Anthropic API keys without meaningful user interaction. The flaws include a consent-bypass code injection vulnerability tied to project hooks (fixed in v1.0.87),
The Hacker News: Claude Code Vulnerabilities Article
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
