Spur Intelligence scanned 6,038 apps across LG webOS and Samsung Tizen and found 2,058 that contain residential proxy software — more than one-third of the smart-TV apps it reviewed.
Spur Intelligence's smart-TV proxyware finding
The firm reported that 42.5% of LG webOS apps and 26.9% of Samsung Tizen apps it reviewed carried residential proxy software, with an aggregate rate across both platforms of 34.1%. Spur flagged low-utility apps — clocks, screensavers, games, fish tanks — as carriers of the SDKs that implement proxying. Bright Data, Massive, and Oxylabs were the top three SDK providers identified on webOS and Tizen.
Spur noted why televisions make attractive proxy hosts: "Smart TVs are almost ideal proxy hosts. They sit on the same home network as everything else, but they do not feel like computers, so people rarely audit them like computers," the report quoted Spur. The company also warned that apps may obtain technically valid consent without verifying whether the consenting user is authorized to provide it, creating the risk of office or shared-device exposure. Amazon and Roku already prohibit apps that facilitate third-party proxy services; according to Spur, LG and Samsung have not yet enforced an equivalent policy.
AISLE's six curl CVEs, including CVE-2026-8932
AISLE disclosed six vulnerabilities in curl and libcurl, characterized as a mix of "classic memory-lifetime issues to logic bugs in how libcurl decides whether a connection, credential, or host identity is still valid." The report singled out CVE-2026-8932, which can cause curl to reuse a previously created connection even after an mTLS configuration-related option changed in a way that should prohibit reuse. AISLE described CVE-2026-8932 as the oldest curl vulnerability reported so far, tracing its presence back to curl version 7.7, released March 22, 2001. The issues were addressed in curl version 8.21.0.
Hoppscotch unauthenticated takeover (CVE-2026-50160)
Self-hosted Hoppscotch was found vulnerable to a critical, unauthenticated takeover — CVE-2026-50160 — with a CVSS score of 10.0. Project maintainers and Offgrid Security’s autonomous AI agent, Kiro, were credited with the discovery. The problem stems from the POST /v1/onboarding/config endpoint allowing mass assignment of arbitrary InfraConfig keys, including JWT_SECRET and SESSION_SECRET, into the database. Because the NestJS ValidationPipe in use did not strip extra properties, injected keys passed through to the service layer where Object.entries(dto) iterated all keys without restriction. OffGrid Security told The Hacker News that four independent weaknesses were chained to allow an unauthenticated attacker to overwrite the JWT signing key in a single request, producing a full server compromise that can survive password resets. The issue was fixed in hoppscotch-backend version 2026.5.0.
Edgecution delivered via Microsoft Teams (Zscaler ThreatLabz)
Zscaler ThreatLabz observed an initial-access broker affiliated with Payouts King posing as IT staff over Microsoft Teams to deliver a malicious Microsoft Edge extension named "Edge Monitoring Agent." The extension exploits the Chrome native messaging protocol to interact with host-native applications outside the browser sandbox. Zscaler said that, by abusing this interface, attackers gain direct host access to manipulate the filesystem, launch processes, and execute arbitrary code.
The attack chain includes a headless Edge browser loading the invisible extension, which beacons to command-and-control and relays host-based commands to a Python-based backdoor capable of system enumeration, filesystem access, and arbitrary code execution. Zscaler noted parallels to a chain Mandiant disclosed in April 2026 involving a Chromium-based extension codenamed SNOWBELT.
Klue credential reuse and the Icarus extortionists
Competitive intelligence company Klue disclosed that a credential issued in 2022 for a limited pilot remained active and was later used by Icarus extortionists to steal Salesforce data from corporate customers. Klue said the credential was "originally provided to a third-party in 2022, for a limited pilot," but did not share the pilot’s purpose, duration, or the third party’s identity, nor explain why the credential was not revoked. Klue confirmed that several customers had limited Salesforce information stolen; named victims include 8x8, BeyondTrust, Gong, Jamf, HackerOne, Insurity, LastPass, OneTrust, Pendo, Recorded Future, Snyk, Sprout Social, and Tanium.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: Patch curl to 8.21.0 where possible, validate server-side DTO handling and validation (as in the Hoppscotch fix), and monitor for stealthy browser-extension vectors that abuse native messaging.
- Procurement and device managers: Revisit app-store policies and vendor enforcement on smart-TV platforms — Spur highlighted that LG and Samsung had not enforced proxy-blocking protections like Amazon and Roku — and audit long-lived credentials granted for pilots.
- End users and administrators: Treat always-on devices like TVs as networked endpoints; Spur warned TVs can remain signed in and online for years without obvious signals of misuse, shifting the consent calculus for selling residential IP access.
These items add up to a single, plain observation: attackers keep finding cheap, effective paths. As the ThreatsDay Bulletin put it: "Patch what you can. Revoke what you forgot. Maybe glance at the devices you’ve been treating like furniture."
