✨ The Containment Era is here. Secure AI workloads before they breach. →The Containment Era is here. →The Containment Era is here. →Explore ✨
E-Learning
Breach intelligence, attack campaigns, and threat reports targeting the E-Learning sector.
Explore Other Sectors
E-Learning Threat Reports
Cybercriminals Exploit Shop App in Advanced Phishing Attack - June 2026
In June 2026, threat actors exploited Shopify's order-tracking app, Shop, by inserting fraudulent purchase receipts into users' order histories. These fake receipts, impersonating brands like Norton and PayPal, included phone numbers leading to scammers posing as support agents. Victims were deceived into disclosing sensitive information or installing remote access software, facilitating unauthorized access to their devices. This method leverages the inherent trust users place in the Shop app, making the scam particularly effective. This incident underscores a significant evolution in phishing tactics, moving beyond traditional email-based schemes to infiltrate trusted applications directly. The rise of such sophisticated social engineering attacks highlights the urgent need for enhanced security measures and user vigilance within digital platforms.
13 hours ago
Kill Chain
The Rise of 'Search Your Target' Services in Cybercriminal Markets
Between January 2025 and June 2026, threat actors have developed a 'search your target' service, transforming vast collections of credentials obtained through infostealer malware into searchable databases. This service enables buyers to request specific credentials based on company, platform, domain, geography, or account type, streamlining the process of acquiring targeted access. Researchers analyzed 470 underground forum posts, revealing that these services act as intermediaries between raw log trading and account takeover activities, often operated by Malware-as-a-Service (MaaS) providers and consumers. They offer functionalities such as targeted extraction, filtering, deduplication, and formatting from extensive infostealer databases containing tens of billions of records. The emergence of these services signifies a shift in the cybercriminal ecosystem, highlighting the increasing commoditization and specialization within underground markets. This trend underscores the necessity for organizations to enhance their credential management practices, implement robust monitoring systems, and adopt proactive security measures to mitigate the risks associated with credential-based attacks.
3 days ago
Kill Chain
Critical NGINX Vulnerabilities CVE-2026-42530 and CVE-2026-42055 Disclosed by F5
In June 2026, F5 disclosed two critical vulnerabilities in NGINX, identified as CVE-2026-42530 and CVE-2026-42055. These flaws reside in the ngx_http_v3_module and the ngx_http_proxy_v2_module/ngx_http_grpc_module, respectively. Unauthenticated remote attackers can exploit these vulnerabilities to cause denial-of-service conditions or execute arbitrary code on systems with non-default configurations. Exploitation leads to use-after-free or heap-based buffer overflow in the NGINX worker process, potentially resulting in system crashes or code execution, especially on systems where Address Space Layout Randomization (ASLR) is disabled or bypassed. The disclosure underscores the persistent risk posed by vulnerabilities in widely used web server software. Organizations relying on NGINX should promptly apply the provided security patches or implement recommended mitigations to prevent potential exploitation. This incident highlights the importance of regular security assessments and timely updates to maintain system integrity.
1 week ago
Kill Chain
ShapedPlugin Supply Chain Attack: A Wake-Up Call for WordPress Security
In May 2026, ShapedPlugin, a WordPress plugin vendor, experienced a supply chain attack where malicious code was injected into their update system. This breach affected three paid plugins—Product Slider Pro, Real Testimonials Pro, and Smart Post Show Pro—leading to the installation of fake plugins that impersonated WooCommerce components. These malicious plugins stole credentials and granted attackers remote file-writing capabilities. The compromise was identified in June 2026, prompting ShapedPlugin to initiate an investigation and release updated, secure versions of the affected plugins. This incident underscores the growing trend of supply chain attacks targeting software vendors to distribute malware through legitimate update channels. It highlights the critical need for robust security measures in software development and distribution processes to prevent such breaches.
1 week ago
Kill Chain
Hazy Hawk's 2026 Subdomain Takeover: A Wake-Up Call for DNS Security
In April 2026, the threat actor group known as Hazy Hawk executed a coordinated subdomain takeover campaign targeting 34 major U.S. universities, including MIT, Harvard, and Stanford. By exploiting abandoned DNS records pointing to decommissioned cloud services, they hijacked these subdomains to host explicit content, which was subsequently indexed by search engines under the universities' trusted .edu domains. This incident underscores the critical need for organizations to maintain rigorous DNS hygiene and promptly remove or update DNS entries associated with decommissioned services to prevent unauthorized subdomain takeovers.
1 week ago
Kill Chain
CISA Flags LiteSpeed cPanel Plugin Flaw Exploited for Root Privilege Escalation
In May 2026, a critical vulnerability (CVE-2026-54420) was identified in the LiteSpeed cPanel Plugin versions prior to 2.4.8, allowing users with FTP or web shell access to escalate privileges to root on shared hosting servers running CloudLinux or CageFS. This flaw, resulting from improper handling of symbolic links, was actively exploited in the wild, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities catalog on June 15, 2026. Administrators were urged to upgrade to LiteSpeed WHM Plugin v5.3.2.1 or later to mitigate the risk. ([nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2026-54420?utm_source=openai)) The incident underscores the persistent threat posed by privilege escalation vulnerabilities in widely used web hosting environments. It highlights the importance of timely patch management and vigilant monitoring to prevent unauthorized access and potential system compromise.
1 week ago
Kill Chain
OptinMonster WordPress Plugin Hacked in CDN Supply-Chain Attack
In June 2026, a supply-chain attack targeted WordPress plugins OptinMonster, TrustPulse, and PushEngage, all managed by Awesome Motive. Attackers exploited a vulnerability in the UpdraftPlus plugin to access Awesome Motive's marketing server, obtaining credentials for their content delivery network (CDN). They then injected malicious JavaScript into CDN-hosted files, which, when loaded by websites using these plugins, created rogue administrator accounts and installed backdoor plugins, granting full control over the compromised sites. This incident underscores the critical need for robust security measures in third-party integrations and highlights the growing trend of supply-chain attacks targeting widely-used software components.
1 week ago
Kill Chain
Massive WordPress Plugin Supply Chain Attack Exposes Over 1.2 Million Sites
In June 2026, a sophisticated supply chain attack targeted WordPress sites utilizing the PushEngage, OptinMonster, and TrustPulse plugins. Malicious actors tampered with JavaScript files served by these plugins, embedding code that, when loaded by a logged-in administrator, created unauthorized admin accounts and installed concealed backdoors. This breach potentially compromised over 1.2 million websites, granting attackers full control to exfiltrate data, deploy malware, or manipulate site content. The attack was active for varying durations across the plugins, with OptinMonster and TrustPulse affected for approximately 25 minutes on June 12, while PushEngage's exposure extended over several hours into June 14. This incident underscores the escalating threat of supply chain attacks within the WordPress ecosystem, highlighting the critical need for vigilant monitoring of third-party plugins and the implementation of robust security measures to detect and mitigate unauthorized code modifications.
1 week ago
Kill Chain
FBI Dismantles AI-Powered Phishing Operation 'Outsider Enterprise'
In June 2026, the FBI, in collaboration with Google and Black Lotus Labs, dismantled 'Outsider Enterprise,' a Chinese phishing-as-a-service operation active since at least 2023. This cybercrime network utilized AI to distribute phishing kits, creating over 9,000 fake websites and more than a million fraudulent URLs. These sites impersonated trusted brands, leading to the theft of approximately 3.8 million credit card records and causing an estimated $1.9 billion in losses. The takedown, part of Operation Riptide, involved seizing multiple servers, a Shopify storefront, and around $100,000 USDT from Outsider's payment wallets. Thousands of phishing domains now redirect to an FBI splash page. This incident underscores the escalating use of AI in cybercrime, enabling large-scale, sophisticated phishing campaigns. The success of Operation Riptide highlights the importance of coordinated efforts between law enforcement and private sector entities in combating such threats.
1 week ago
Kill Chain
FBI Dismantles Outsider Cybercrime Network Responsible for $1.9 Billion in Losses
In June 2026, the FBI, in collaboration with Google and Lumen Technologies, dismantled a significant China-based cybercrime network known as Outsider Enterprise. This operation, dubbed 'Operation Ghost Hook,' targeted a phishing-as-a-service platform that had been active since July 2023. Outsider provided cybercriminals with phishing kits and hosted infrastructure, enabling them to impersonate trusted brands and defraud victims across 55 countries, including the United States. The takedown resulted in the seizure of several core admin server domains, a Shopify storefront, approximately $100,000 from Outsider's payment wallets, and thousands of domains registered through U.S.-based providers. Authorities linked Outsider's phishing domains to nearly 3.9 million stolen credit cards, contributing to an estimated $1.9 billion in losses. This incident underscores the evolving sophistication of cybercriminal operations, particularly the use of AI to enhance phishing campaigns. The Outsider platform's integration of AI tools like Google's Gemini allowed for the creation of highly convincing phishing lures, making it increasingly challenging for individuals and organizations to detect and prevent such attacks. The takedown highlights the necessity for continuous advancements in cybersecurity measures and the importance of international cooperation in combating cyber threats.
1 week ago
Kill Chain
Critical Vulnerability in Everest Forms Pro Exploited to Hijack WordPress Sites
In June 2026, a critical vulnerability (CVE-2026-3300) in the Everest Forms Pro plugin for WordPress was actively exploited by attackers to gain unauthorized control over websites. The flaw, present in versions up to and including 1.9.12, resided in the plugin's Complex Calculation feature, which improperly handled user input, allowing unauthenticated remote code execution. Exploiting this, attackers created rogue administrator accounts, enabling them to modify content, install malicious plugins, and access sensitive data. The vulnerability was patched on March 18, 2026, but exploitation began on April 13, 2026, with over 29,300 attempts blocked by security tools. This incident underscores the persistent threat posed by vulnerabilities in widely-used WordPress plugins. Website administrators are urged to promptly update plugins and monitor for unauthorized access to mitigate such risks.
2 weeks ago
Kill Chain
Magecart Attack Leverages Stripe API to Steal Credit Card Data
In June 2026, a sophisticated Magecart campaign exploited Stripe's API infrastructure to host and exfiltrate stolen credit card information from e-commerce checkout pages. Attackers injected malicious JavaScript into Google Tag Manager containers, which activated on checkout pages to capture payment data. The stolen data was then obfuscated and stored within Stripe's customer records, effectively using Stripe as a storage backend for the exfiltrated information. This method allowed the skimmer to bypass traditional security measures by leveraging trusted domains like api.stripe.com. This incident underscores the evolving tactics of cybercriminals who now exploit trusted third-party services to conduct attacks, making detection and prevention more challenging. The use of legitimate platforms for malicious purposes highlights the need for continuous monitoring and advanced security measures to protect sensitive customer data.
3 weeks ago
Kill Chain
Stop Active Cloud Data Exfiltration
Aviatrix Breach Lock helps teams instantly identify what data is leaving the environment, from which workload, and where it’s going — during an active breach.
Looking for threats in a different sector?
Browse All Threat Reports