SecurityWeek’s weekly cybersecurity news roundup offers a concise overview of important developments that may not receive full standalone coverage but remain relevant to the broader threat landscape.
This curated summary highlights key stories across vulnerability disclosures, emerging attack methods, policy updates, industry reports, and other noteworthy events to help readers maintain a well-rounded awareness of the evolving cybersecurity environment.
Here are this week’s highlights:
Trump Mobile data breach
Phone provider Trump Mobile has confirmed that customers’ names, addresses, email addresses, phone numbers, and other data was exposed to the internet. The company reportedly said a third-party platform provider was responsible for the exposure.
Russian hackers’ deep reach in Treasury emails
Documents presented in a Freedom of Information Act lawsuit filed by Bloomberg News against the US government show that the Russian state-sponsored APT responsible for the 2019-2020 SolarWinds supply chain attack had deep access to Treasury emails. The hackers reportedly focused on only eight email accounts linked to 300 other email addresses. The Treasury had roughly 94,000 people at the time.
VS Code Remote SSH extension vulnerability
A remote code execution (RCE) vulnerability in the Visual Studio Code (VS Code) Remote‑SSH extension could allow attackers to pivot to remote systems, security researcher Suman Kumar Chakraborty warns. The issue exists because, upon initiating a Remote SSH connection, the extension writes a bootstrap shell script to the Temp directory. An attacker with access to the system can modify the script before it is transmitted and executed on the remote server, to deploy a reverse shell.
UK Visa Portal exposes over 100,000 documents
Immigration portal UK Visa Portal publicly exposed over 100,000 documents of people who applied for a UK visa, TechCrunch reports. Not affiliated with the UK government, the website requires applicants to upload selfies and passports, and to pay a fee for obtaining visas. The exposed files were stored in an AWS S3 bucket and were secured earlier this week.
LinkedIn phishing campaign abuses Adobe Target
Phishers are posing as LinkedIn in a new phishing campaign posing as a business inquiry. The emails contain fake contract attachments masquerading as PDFs. In fact, they are HTML files directing victims to the Adobe Target A/B testing platform. The attackers are abusing Adobe Target to track users and serve them fake login pages to steal their credentials before redirecting them to LinkedIn.
2026 FIFA World Cup in attackers’ crosshairs
Just as the 2026 FIFA World Cup is about to kick off, Group-IB has discovered over 4,300 fraudulent domains impersonating FIFA, including a sophisticated phishing campaign run by Chinses-speaking hacking group Ghost Stadium. The threat actor has set up over 300 domains, including a pixel-perfect clone of the legitimate FIFA site. The phishers could cause hundreds of millions of dollars in losses.
Veeam, Notepad++, Roundcube patches
Veeam this week resolved two high-severity vulnerabilities in its Backup & Replication product, warning they could lead to privilege escalation and arbitrary file writes. Notepad++ patched three security issues, including two leading to arbitrary code execution. The latest Roudcube security updates fix eight flaws, including unauthenticated SQL injection and arbitrary file delete bugs.
CISA responds to recent supply chain attacks
The US cybersecurity agency CISA has expanded its KEV catalog with three vulnerabilities describing recent software supply chain attacks. These include Daemon Tools Lite, TanStack, and Nx Console (which led to the 3.800 internal GitHub repositories hack). CISA also issued an alert on the Megalodon and Nx Console attacks, urging organizations to hunt for and remediate potential compromises. NPM invalidated granular access tokens in response to these attacks.
Supply chain attack hits 176 NPM packages
Sonatype warns of a supply chain attack involving 176 malicious NPM packages containing postinstall scripts designed to install information-stealing malware on the victims’ computers. The malware harvests and exfiltrates credentials, system and directory information, environment variables, CI/CD secrets, and other tokens and sensitive information. All malicious packages have the version number 99.99.99.
Contractor jailed for hacking former employer
Maxwell Schultz, 36, of Columbus, Ohio, was sentenced to 24 months in federal prison for hacking into his employer’s network after his contract was terminated in May 2021. Impersonating another contractor, he obtained login credentials, accessed the former employer’s systems, and executed a script that reset roughly 2,500 passwords, locking out employees and contractors and causing more than $862,000 in losses. Schultz pleaded guilty in November 2025.
Related: In Other News: Industrial Router Exploitation, CISA KEV Nomination Form, Gas Station Hacking
Related: In Other News: Big Tech vs Canada Encryption Bill, Cisco’s Free AI Security Spec, Audi App Flaws
