Cyber News Bytes: What’s Happening in Cybersecurity This Week

Hey all! It’s been quite a week out there, from a telecom breach touching millions of inboxes to a genuine win for the defenders.

Here are the four stories worth your attention! →

1. A Japanese telecom giant may have exposed up to 14.2 million email logins

KDDI, one of Japan's largest internet providers, disclosed that attackers broke into an email system it operates for itself and five other ISPs in the country.

The company says it discovered the compromise on June 17 and responded immediately by blocking the attacker and implementing defensive measures.

Investigators determined that the hackers exploited a vulnerability in unnamed third-party software that KDDI used on its system.

KDDI warned that customers' email addresses and passwords may have been obtained, with as many as 14.2 million logins potentially in scope across the six providers.

Why it matters, your security is only ever as strong as the vendors and tools you build on, and a single shared system can put millions of accounts at risk in one shot.

Read more at BleepingComputer

2. Polymarket users lost around $3 million in a frontend supply-chain attack

Polymarket, one of the world's largest crypto-based prediction markets, told users this week that a third-party vendor had been compromised.

The company said the hack was the result of a supply-chain attack that impacted a dependency on its website, injecting a malicious script into the platform's frontend for some users.

Notably, the attackers never touched the smart contracts, since the on-chain code worked exactly as designed, and instead targeted the weaker external link feeding code into the website.

The malicious script drained roughly $2.9 million from user wallets, and Polymarket said it removed the bad code and will fully refund everyone affected.

This was the platform's second security scare in barely a month, following a separate private-key exploit in May.

Why it matters, even a hardened backend and audited contracts cannot save you if a compromised dependency is loading straight into the page your users see, which is exactly where trust gets exploited.

Read more at BleepingComputer

3. An Amazon AI coding assistant flaw could have handed over your cloud keys

Amazon patched CVE-2026-12957, a high-severity flaw in Amazon Q Developer that let a malicious repository run commands and steal a developer's AWS credentials.

Researchers at Wiz showed that a single config file dropped in a repo was enough to go from git clone to full cloud compromise.

The root cause was that Amazon Q automatically loaded server configurations from a hidden workspace file without any consent prompt or trust check, and the processes it spawned inherited the developer's full environment, including AWS keys, cloud tokens, API secrets, and SSH agent sockets.

There is no known public exploitation, and the fix ships automatically once you reload your IDE, but it is part of a string of similar auto-execution issues researchers have flagged across AI coding assistants this year.

Why it matters, if you are leaning on AI dev tools, treat every unfamiliar repository as untrusted, keep your plugins current, and remember that "open this project" can quietly mean "run this code."

Read more at The Hacker News

4. A win for the good guys as Microsoft and global police smash a malware "assembly line"

Microsoft, law enforcement, and several cybersecurity companies teamed up to take down the shared infrastructure behind two widely used malware families, Amadey and StealC.

The two strains were linked to more than 140,000 infected computers worldwide in just the first two weeks of May, and the operation identified over 18,000 victim machines and severed criminal control of them.

Investigators seized more than 25 million unique stolen credentials and flagged over $47 million in crypto, using AI to map how the two malware families connected.

In a first for this kind of disruption, the teams went after both cybercrime tools at once rather than one at a time, treating them as a single criminal operation.

Why it matters, infostealers like StealC are exactly what quietly harvest the passwords behind so many of the breaches we cover, so knocking out the pipeline that feeds them is a real and rare bit of good news.

Read more at The Hacker News

If there is a thread running through this week, it is third-party trust.

The KDDI, Polymarket, and Amazon Q stories all started with something external, whether a vendor, a dependency, or a repo, that was trusted a little too easily.

The good news is that the same community can push back hard when it works together, and the StealC takedown is proof of that.

Audit what you rely on, keep your tools patched, and stay curious about where your trust actually goes.

Stay patched. Stay skeptical. Talk soon.

Sandra / Cyber With Sandra | www.withcybersecurity.com