Today’s roundup
Emergency Microsoft update fixes in-the-wild Office zero-day
Critical Grist-Core Vulnerability Allows RCE Attacks via Spreadsheet Formulas
Dormakaba flaws allow to access major organizations’ doors
Malicious VS Code AI Extensions with 1.5 Million Installs Steal Developer Source Code
Who Operates the Badbox 2.0 Botnet?
Revealed: Leaked Chats Expose the Daily Life of a Scam Compound’s Enslaved Workforce
Have I Been Pwned: SoundCloud data breach impacts 29.8 million accounts
World Leaks Ransomware Group Claims 1.4TB Nike Data Breach
New malware service guarantees phishing extensions on Chrome web store
Hackers can bypass npm’s Shai-Hulud defenses via Git dependencies
Summary
Microsoft issued emergency updates for an actively exploited Office zero-day, CVE-2026-21509. This high-severity security bypass affects multiple Office versions, including Microsoft 365, requiring users to open a malicious file for exploitation. Patches are available, with manual registry changes needed for Office 2016/2019.
A critical remote code execution (RCE) vulnerability, CVE-2026-24002 (CVSS 9.1), was disclosed in Grist-Core, an open-source spreadsheet-database. Codename 'Cellbreak,' the flaw enables RCE via malicious spreadsheet formulas, posing a severe risk to self-hosted Grist systems.
Over 20 critical security flaws were found in Dormakaba exos 9300 physical access control systems, potentially allowing remote door unlocking and reconfigurations without authentication. These systems are used by major European organizations, with some access managers found exposed directly to the internet. Patches have been released by Dormakaba.
Two malicious AI-powered VS Code extensions, accumulating 1.5 million installs, were discovered siphoning developer source code to China-based servers. These extensions remain available, posing a supply chain risk to developers.
KrebsOnSecurity's investigation uncovered insights into the operators of the Badbox 2.0 botnet, which infects millions of Android TV boxes. Evidence suggests Kimwolf botmasters gained unauthorized access to the Badbox 2.0 control panel, enabling direct malware deployment.
An investigative report by Wired, based on 4,200 pages of leaked chats, exposed the inner workings and human exploitation within a Southeast Asian "pig butchering" scam compound. The leaks reveal the industrial scale of these cybercriminal operations.
The SoundCloud platform suffered a data breach impacting 29.8 million user accounts. Hackers exfiltrated personal and contact information, prompting an alert from Have I Been Pwned.
The World Leaks ransomware group has claimed a 1.4TB data breach against Nike, with the company currently investigating the alleged exfiltration and subsequent data dump.
A new malware-as-a-service (MaaS) named 'Stanley' is facilitating phishing campaigns by promising to publish malicious Chrome extensions that bypass Google's Web Store review process.
Hackers have found a way to bypass npm's 'Shai-Hulud' supply-chain defenses by exploiting weaknesses related to Git dependencies. This creates a renewed risk for malicious code injection into development projects.
Want to dig deeper?
Vulnerabilities
Malware Families