The World Food Programme investigated unauthorised access to its Gaza self-registration application, exposing names, identification numbers, phone numbers and location details for aid applicants in Palestine [EMEA]. Investigators will need to preserve application access logs, registration database snapshots, Telegram notification timing and containment records to determine entry point, dwell time and whether data was copied or merely viewed (Source: The Record, 04-06-2026)

Five Eyes agencies warned that Chinese intelligence services are using job platforms and front-company recruiter personas to approach cleared personnel and adjacent targets across Australia, Canada, New Zealand, the UK and the US [APAC/EMEA/AMER]. Digital investigators should correlate platform messages, recruiter domains, payment traces, persona reuse and applicant metadata because the campaign blends human intelligence targeting with recoverable online artefacts (Source: The Record, 04-06-2026)

A new IronWorm supply-chain attack infected 36 npm packages with Rust-based infostealer malware targeting developer secrets, cloud credentials, SSH keys and cryptocurrency wallet files [AMER]. The investigation highlights artefacts in preinstall scripts, npm publishing history, GitHub Actions output, suspicious aged commits and stolen Trusted Publishing credentials that can help reconstruct propagation across CI environments (Source: BleepingComputer, 04-06-2026)

Sekoia published the latest part of its Gamaredon research series, focusing on GammaSteel activity tied to Russia-linked operations against Ukrainian interests [EMEA]. Analysts should preserve phishing lures, loader chains, staging infrastructure, extracted configuration, command-and-control overlaps and victimology patterns because multi-part tooling families often require cross-case correlation rather than single-sample conclusions (Source: Sekoia.io, 04-06-2026)

ShinyHunters published what it claimed was a 234GB DentaQuest data trove affecting 2.6 million people in the United States healthcare and benefits ecosystem [AMER]. Case teams should compare extortion-site claims with breach notification facts, validate sample records, preserve dark-web publication timestamps and map exposed fields to identity-fraud and regulated-health-data risk (Source: DataBreachToday, 04-06-2026)

The World Food Programme suspended its Gaza registration platform after unauthorised parties accessed sensitive applicant data used for food and cash assistance in Palestine [EMEA]. The incident matters because humanitarian databases combine identity, household and location evidence, requiring careful preservation of platform state, access paths and notification records while avoiding secondary harm to vulnerable populations (Source: The Record, 04-06-2026)

CISA added CVE-2026-45247, a Mirasvit Full Page Cache Warmer PHP object-injection flaw affecting Magento and Adobe Commerce stores, after evidence of exploitation in the wild [AMER]. Investigators should inspect CacheWarmer cookies, serialized object payloads, web server access logs, Magento extension versions and post-exploitation file changes to separate scanning from successful remote code execution (Source: SecurityWeek, 04-06-2026)

SafeBreach researchers disclosed a Gemini voice assistant attack class using messaging notifications from apps such as WhatsApp, Slack and SMS to inject hidden instructions into the assistant context [AMER]. The finding expands evidential scope for AI-enabled abuse because investigators may need to collect notification content, assistant transcripts, smart-home actions, muted hyperlink artefacts and language-shifted prompt fragments (Source: SecurityWeek, 04-06-2026)

The U.S. Justice Department’s Scam Center Strike Force announced Disruption Week results with global partners and industry, disrupting more than 1.4 million scam-linked accounts and infrastructure tied to Southeast Asian compounds [APAC/AMER]. The action produced arrests, frozen cryptocurrency, decommissioned hosting and platform takedowns, giving investigators cross-border evidence trails across social accounts, Starlink kits, IP traffic and wallet flows (Source: U.S. Department of Justice, 04-06-2026)

Europol reported that Spanish authorities dismantled a fake document factory and seized around 800 IDs, disrupting infrastructure used to support criminal mobility and identity abuse in Spain [EMEA]. Digital evidence teams should prioritise device images, template files, printer logs, messaging records, payment ledgers and shipping metadata because forged identity operations often connect offline production with online fraud ecosystems (Source: Europol, 04-06-2026)

U.S. House testimony from Google Threat Intelligence addressed how frontier models, agentic AI and coding tools are reshaping cybersecurity and critical infrastructure resilience in Washington, D.C. [AMER]. The policy record matters to investigators because adversarial AI use, model distillation and automated tooling create new evidential questions around provenance, intent, capability transfer and machine-generated attack artefacts (Source: U.S. House Homeland Security Committee, 04-06-2026)

Singapore’s Cyber Security Agency updated Cybersecurity Act material covering oversight and maintenance of Critical Information Infrastructure, including the amended framework passed in Parliament in 2024 [APAC]. The update is relevant because regulated entities need auditable incident records, CII scoping evidence, compliance documentation and defensible control histories when investigations intersect with statutory cyber duties (Source: Cyber Security Agency of Singapore, 03-06-2026)