From Global Fraud Busts to Stealthy Code Injection: The Week in Cybersecurity
This week's cybersecurity landscape highlights a range of threats, from massive international fraud operations to subtle, yet potent, code injection techniques. Security professionals face an evolving challenge, with attackers leveraging everything from typosquatting to sophisticated social engineering to breach defenses and exfiltrate sensitive data.
The digital threat landscape continues to evolve, with new attack vectors and refined techniques emerging regularly. This week's major security incidents underscore the importance of vigilance, robust security practices, and global cooperation to counter sophisticated cybercrime.
### Global Fraud Bust Intercepts $293 Million
A massive international anti-fraud operation, **First Light 2026**, involving 97 countries and territories, has led to the arrest of 5,811 individuals and the interception of $293 million in illicit assets. Conducted between January 15 and April 30, 2026, the operation targeted social engineering scams and associated money laundering activities.
**INTERPOL** reported that over 142,000 victims were identified globally, emphasizing the widespread impact of these transnational threats. The operation solved more than 23,000 cases and identified 15,606 suspects. Notable successes include the dismantling of a criminal network in Eswatini and the uncovering of a cryptocurrency-based money laundering scheme in Thailand.
### Malicious Typosquatting Targets Payment SDKs
Security researchers have uncovered a cluster of 17 malicious npm and **PyPI** packages that typosquat popular payment SDKs from **Paysafe**, **Skrill**, and **Neteller**. These packages are designed to steal system information and developer secrets, exfiltrating them to an **Ngrok** endpoint.
**Socket** reported that the malware employs evasion techniques, skipping machines with fewer than two CPU cores or hostnames/usernames containing sandbox indicators. The threat actor also utilized an obfuscator, varying obfuscation keys across versions and packages to hinder tracking and detection.
### Stealthy Code Injection via Process Parameter Poisoning (PΒ³)
Cybersecurity researchers Max Hirschberger and Ogulcan Ugur have detailed a novel code injection technique called **Process Parameter Poisoning (PΒ³)**. This method leverages the Process Parameters structure as an execution and staging location for shellcode, allowing injection into remote processes without triggering common detection mechanisms.
According to the researchers, a significant advantage of **PΒ³-Shellcode Loader** is that it avoids creating processes in a suspended state or suspending threads during execution, making it particularly stealthy. Their work highlights a sophisticated approach to bypassing traditional security alarms.
### Critical Vulnerability in Esri ArcGIS Server
A critical security flaw in **Esri ArcGIS Server** versions 12.0 and prior (**CVE-2026-9181**, CVSS score: 9.8/7.5) has been identified. This vulnerability allows unauthenticated attackers to access sensitive files on the system by sending crafted path parameters.
**Horizon3.ai** explained that the flaw resides in the ArcGIS Server REST Uploads resource, where insufficient validation permits directory traversal outside the intended boundary. This could lead to significant data exposure and system compromise.
### Ransomware Tooling Overlap and Interconnections
New analysis of the **Interlock** (aka **Hive0163**) ransomware operation reveals significant tooling overlaps with **TAG-124** (aka **KongTuke** and **Landupdate808**). **IBM X-Force** uncovered strong similarities between malware variants like **NodeSnake**, **ModeloRAT**, **JunkFiction downloader**, **Interlock RAT**, and **Supper**, suggesting a shared codebase or developer pool.
Furthermore, connections between **Rhysida** ransomware and **IceNova** (aka **Latrodectus**) operators, as well as **ITG23** (aka **TrickBot**), have been observed. Early versions of **JunkFiction** dating back to May 2024 indicate a long-standing and evolving threat ecosystem, with various downloaders delivering legitimate remote administration tools for malicious purposes.

### China's CNVDB Issues Claude Data Warning
China's **National Vulnerability Database (CNVDB)** has issued an urgent warning to developers, recommending the uninstallation of certain **Claude Code** versions. The agency claims these versions (2.1.91 to 2.1.196) contain "backdoor code" capable of collecting sensitive user data, such as location and identity, and forwarding it to remote servers without consent.
This disclosure follows a previous report about covert code in Claude designed to prevent Chinese AI companies from extracting model details. While **Anthropic** stated this was an experiment to protect against model distillation, the CNVDB's alert raises significant privacy concerns, urging immediate investigation and upgrades to secure versions.
### Microsoft Teams Abused in EtherRAT Delivery
A sophisticated social engineering campaign is combining email phishing with fake IT support scams, leveraging **Microsoft Teams** calls to deliver **EtherRAT**. **Palo Alto Networks Unit 42** observed attackers luring victims with fake "Employee Survey" emails, then initiating Teams calls impersonating "System Administrators."
The attackers exploit Teams' remote control features to guide victims into installing legitimate Remote Monitoring and Management (RMM) tools like **HopToDesk** and **AnyDesk** for persistence. They then use `curl.exe` to download and execute a malicious MSI (v7.msi) from `camorreado[.]click`, which acts as a multi-stage loader for **EtherRAT**.