SecurityWeek’s weekly cybersecurity news roundup offers a concise overview of important developments that may not receive full standalone coverage but remain relevant to the broader threat landscape.
This curated summary highlights key stories across vulnerability disclosures, emerging attack methods, policy updates, industry reports, and other noteworthy events to help readers maintain a well-rounded awareness of the evolving cybersecurity environment.
Here are this week’s highlights:
Google Cloud highlights faster cloud attacks in new threat report
Google has released its Cloud Threat Horizons Report for the first half of 2026, drawing on data from the second half of 2025. The report shows threat actors now exploit software vulnerabilities more often than weak credentials for initial access, with the time from vulnerability disclosure to active attacks shrinking from weeks to days. Data theft remains the primary goal in most incidents, often achieved through identity compromise, vishing, or token theft, while living-off-the-land techniques and AI-assisted methods help attackers remain hidden and move quickly.
Polish police identify seven minors selling DDoS tools
Polish cybercrime investigators have identified seven minors, aged 12 to 16 at the time of the offenses, who distributed online software designed for launching DDoS attacks. The group targeted various popular websites, including auction platforms, sales sites, IT-related domains, hosting providers, and accommodation booking services. They operated as a coordinated team for profit and were fully aware of the illegal nature of their activities.
US indicts third BlackCat ransomware negotiator
US prosecutors have charged a third individual with acting as a negotiator for the BlackCat/Alphv ransomware gang. The defendant, Angelo Martino, worked as a ransomware negotiator for DigitalMint. Two other cybersecurity experts pleaded guilty to their role in the scheme a few months ago.
US defense contractor suspected of creating Coruna exploits
US military contractor L3Harris is believed to have developed at least some of the Coruna iOS exploits. The exploits were reportedly created by the contractor for legitimate US government purposes but ended up in the hands of Russian actors. The exploit leak may be related to the case of a former executive at L3Harris division Trenchant, who was recently jailed for selling Android and iOS exploits to Russia. Apple this week updated older iOS versions to address the Coruna exploits.
Telus Digital data breach
Telus Digital has confirmed a cybersecurity incident after ShinyHunters hackers claimed to have stolen around 1 petabyte of information from the company’s systems. Telus stated that it is actively investigating the breach, but did not share further details on the exact data involved or how the attackers gained access.
N8n vulnerability exploited
CISA has added a vulnerability in the open source workflow automation tool n8n to its Known Exploited Vulnerabilities catalog. The flaw, tracked as CVE-2025-68613, allows remote code execution. Several critical n8n vulnerabilities were disclosed in recent months, but CVE-2025-68613 appears to be the first that has been exploited in the wild. There does not appear to be any public information about the attacks.
New CrackArmor vulnerabilities in Linux AppArmor allow root privileges
Researchers from Qualys uncovered nine vulnerabilities in the Linux security module AppArmor (collectively called CrackArmor) that could allow an unprivileged local user to escalate privileges and gain root access. The flaws exploit a “confused deputy” scenario, enabling attackers to manipulate security profiles through trusted tools such as Sudo or Postfix and bypass kernel protections. The issues, which date back to 2017, potentially expose millions of enterprise Linux deployments.
Critical Veeam product vulnerabilities
Veeam has released an advisory regarding several critical and high-severity vulnerabilities affecting its Backup & Replication product. The vulnerabilities can be exploited to bypass security features, escalate privileges, and remotely execute code. There is no evidence of in-the-wild exploitation, but it’s not uncommon for threat actors to target Veeam product vulnerabilities in their attacks.
Global cybercrime crackdown
An international law enforcement effort coordinated by Interpol dismantled more than 45,000 malicious IP addresses and servers used for phishing, malware, ransomware, and online fraud campaigns. The operation, known as Operation Synergia III and conducted between July 2025 and January 2026, involved authorities from 72 countries and resulted in 94 arrests, with another 110 suspects under investigation. Cybersecurity firms including Group-IB supported the effort by providing threat intelligence to help identify criminal infrastructure and coordinate global takedowns.
AI-generated Slopoly malware found by IBM
IBM security researchers have come across a new piece of malware dubbed Slopoly, which they believe was likely generated by AI. The malware was used in the later stages of an attack by a financially motivated cybercrime group named Hive0163, which is known for the use of the Interlock ransomware. “Although still relatively unspectacular, AI-generated malware such as Slopoly shows how easily threat actors can weaponize AI to develop new malware frameworks in a fraction of the time it used to take,” the IBM researchers said.
Related: In Other News: ATT&CK Advisory Council, Russian Cyberattacks Aid Missile Strikes, Predator Bypasses iOS Indicators
Related: In Other News: FBI Hacked, US Security Pro Killed in Iran War, Hijacked Cameras Used in Khamenei Strike
