An attacker compromised an administrative key tied to Echo Protocol’s deployment on the Monad blockchain network and used it to mint 1,000 eBTC tokens valued at about $76.7 million. The attacker granted their own wallet minting privileges, then deposited 45 eBTC as collateral into the Curvance decentralized lending protocol. Using that collateral, the attacker borrowed 11.29 WBTC, bridged the borrowed assets to Ethereum, swapped them for ETH, and sent about 385 ETH into Tornado Cash.
Grafana has confirmed that an unauthorized party gained access to its GitHub environment after obtaining a compromised token, allowing the attacker to download parts of its codebase. In a public statement shared on X, the company said its investigation found no evidence that customer data or personal information was accessed and that no evidence that customer systems or operations were affected. The breach was discovered after unusual activity triggered a forensic investigation.
Analyst Eric Heath raised the firm’s price target on Okta to $103 from $95 and kept an Overweight rating on the shares, citing a sharper outlook for enterprise security spending in the back half of the year.
The attack used code from the Shai-Hulud worm, published by malware outfit TeamPCP, which can extract secrets from memory used by GitHub Actions. It began with a PR that triggered an automatic workflow via TanStack's use of the pull_request_target feature, causing the malicious code to be built and run by a GitHub Action, poisoning a cache used across the entire repository.
According to TrendAI's Zero Day Initiative (ZDI), white hat hackers have been awarded $1,298,250 for 47 unique vulnerabilities. Nearly $750,000 of the total amount was won by the first two teams: Devcore and StarLabs SG. The two teams also received the highest payouts for a single exploit chain. Devcore earned $200,000 for a remote code execution exploit with System privileges on Microsoft Exchange, and $175,000 for a Microsoft Edge sandbox escape. It also received $100,000 for exploiting Microsoft SharePoint.
SCAM ALERT: There has been a huge escalation lately in airdrop and giveaway scams targetting XRPL users lately. Any such posts you see are likely scams. Ripple-linked fraud warnings in recent months have also covered phishing operations targeting XRP holders through fake verification requests and malicious wallet prompts. Some schemes encouraged users to connect wallets or submit sensitive recovery information through unofficial channels masquerading as trusted XRP resources.
