Last week in cybersecurity: 73,000 Fortinet accounts leaked, 152 malicious Chrome extensions, and 17 million WordPress attacks

Looking back at last week in cybersecurity, the landscape was dominated by 12 alarming events exposing the collapse of major platforms. Key incidents include the global leak of 73,000 Fortinet VPN credentials, 17 million attacks on WordPress, and targeted phishing in Vietnam.

Facing these rapidly spreading risks, organizations must mandatorily integrate a comprehensive cybersecurity solution and timely incident response to absolutely protect digital assets.

Why are online phishing and data theft becoming the biggest blind spots for Vietnamese enterprises?

The lack of strict access controls and endpoint management allows basic phishing tactics and malicious browser extensions to easily bypass enterprise perimeters. Reviewing events from last week in cybersecurity reveals that humans remain the most vulnerable link in the defense chain.

1. 152 Chrome extensions secretly collect data and fake Google Search traffic

A large-scale campaign involving 152 Chrome extensions (promoted as live wallpapers) has been discovered, recording approximately 105,000 installations aimed at secretly collecting user data and generating fake traffic.

• Key Details: Despite declaring "no data collection", these extensions stealthily steal IP addresses, browser types, and automatically open hidden web pages to deceive Google's analytics tools into registering organic traffic.

• Next Steps: Organizations must use Group Policy Objects (GPO) to block internal users from arbitrarily installing extensions from unknown sources. (Source: [WhiteHat.vn])

2. Warning on phishing traps stealing personal data during the 10th-grade exam score checking season

Exploiting the anticipation of exam results, cybercriminals have set up a series of fake portals mimicking the Department of Education and Training to steal sensitive personal data.

• Key Details: Using SEO Poisoning techniques, malicious websites are pushed to high positions on Google Search. Upon access, victims are forced to enter their ID card numbers, full names, and phone numbers. Parents posting unredacted exam scores on social media also inadvertently aid criminals.

• Next Steps: Only check scores via official links. Educational and relevant institutions must tighten data management procedures to ensure Decree 356/2025/ND-CP compliance regarding personal data protection. (Source: [WhiteHat.vn])

3. Promoting cybersecurity training for digital transformation

The frequency and complexity of cyberattacks in Vietnam are skyrocketing. In response, the National Innovation Center (NIC) organized a "Cybersecurity for Digital Transformation" training program for leaders and IT experts.

• Key Details: The program focuses on practical topics: cyber defense architecture, cloud security, risk management, and ransomware prevention and incident response, aiming to realize the goal of enhancing national cybersecurity workforce capabilities. (Source: [Vietnam Investment Review])

How are global supply chain disasters and zero-day vulnerabilities threatening core IT infrastructures?

The exploitation of third-party plugins, legacy OAuth tokens, and misconfigured servers demonstrates that a single weak link in the supply chain can lead to massive data breaches. A deep dive into last week in cybersecurity highlights the critical need for proactive vulnerability management.

4. "FortiBleed": 73,000 VPN credentials of global Fortinet devices leaked

A misconfigured hacker server recently exposed a massive data collection containing the Fortinet VPN credentials of 73,932 firewalls belonging to multinational corporations.

• Key Details: Victims span 194 countries (including Samsung, Foxconn, and AT&T). The threat group executed approximately 1.16 billion brute-force attempts to crack credentials and penetrate deep into internal Active Directory networks.

• Next Steps: Immediately rotate all Fortinet administrative passwords and strictly enforce Multi-Factor Authentication (MFA) for all external connections into the internal network. (Source: [BleepingComputer])

5. Supply chain attack targeting Red Hat's NPM repository

Dozens of JavaScript packages belonging to Red Hat's @redhat-cloud-services repository were injected with malware capable of stealing credentials and spreading autonomously to other systems.

• Key Details: The malware (a Miasma variant) was injected via a compromised GitHub account, directly targeting the theft of Secrets and Tokens associated with GitHub Actions, AWS, GCP, and Azure. (Source: [An toàn thông tin])

6. Over 17 million exploit attacks on the Gravity SMTP plugin for WordPress

A medium-severity security vulnerability (CVE-2026-4020) in the Gravity SMTP plugin is being aggressively exploited, allowing attackers to extract all configuration data, including sensitive API keys and OAuth tokens.

• Key Details: The weakness lies in a REST API endpoint that unconditionally allows outsiders to retrieve system reports. Hackers can harvest API keys from Amazon SES, Google, and Mailjet to distribute spoofed phishing emails.

• Next Steps: Update the plugin to version 2.1.5 and completely rotate all email service API keys. Leveraging AI-powered domain protection is highly recommended to prevent brand impersonation. (Source: [The Hacker News])

7. Operation Endgame rescues 14,971 WordPress sites from malware

International law enforcement authorities have taken down 106 servers and cleaned up nearly 15,000 websites infected by SocGholish (FakeUpdates) – a notorious network specializing in ransomware distribution.

• Key Details: SocGholish tricks users into downloading fake "browser updates" that act as gateways to drop LockBit and RansomHub malware. They utilize sophisticated "Domain Shadowing" techniques to create malicious subdomains hidden under legitimate domains. (Source: [The Hacker News])

8. A series of critical remote code execution (RCE) vulnerabilities patched on Chrome

Google released an emergency patch for 7 critical vulnerabilities on the Chrome browser, mostly use-after-free memory errors in core components like WebShare, WebView, and Digital Credentials.

• Key Details: Simply by having a victim visit a specially crafted malicious website, the attack can be triggered silently in the background to seize control of the device without requiring the user to download any files. (Source: [WhiteHat.vn])

9. Other notable technology security incidents shaping last week in cybersecurity

• Crypto Clipper malware: Exploits the Tor network and malicious .lnk shortcut files on USB drives to spread like a Worm, silently stealing cryptocurrency wallet keys from Windows users. (Source: [Microsoft Security Blog])

• Fortinet FortiSandbox vulnerabilities: A trio of critical vulnerabilities is being actively exploited, allowing hackers to execute unauthorized remote code (RCE) via command injection without any authentication. (Source: [An toàn thông tin])

• Windows Recycle Bin bug: Microsoft's June 2026 update causes a widespread display error showing internal system filenames (e.g., $Rxxxxx.ext) instead of the real file names when items are permanently deleted. (Source: [BleepingComputer])

• Salesforce disables Klue integration: The extortion group Icarus abused a forgotten legacy OAuth Token to query directly into Salesforce's CRM system via REST API and extract massive volumes of customer data. (Source: [The Hacker News])

Establish a comprehensive cybersecurity solution with IPSIP Vietnam experts

The common thread across all incidents from last week in cybersecurity is that the spreading speed of hackers has far exceeded human manual response capabilities. Instead of struggling to patch together fragmented protection tools, entrusting information safety through a comprehensive cybersecurity solution is the optimal strategy to break all system attack risks.

Originating from France with over 15 years of experience, IPSIP Vietnam delivers an international standard security fortress compliant with ISO 27001:2022 and SOC 2 Type II. Through a force of over 80 experts and continuous 24/7 SOC monitoring services, all abnormal signs - from ransomware and data leaks to supply chain attacks - are detected and isolated instantly.