Security Shai-Hulud malware worms Red Hat npm package versions downloaded 80K times a week TeamPCP? Or copycat malware dev?
Security Election interlopers register 5K+ domains, hope to catch some voting phish Hacking voting machines is so 2017. Phishing, impersonation pose the real election risks
Security GTA cheat service Atlas Menu hacked as attacker alleges screenshot spying A database containing 64,000 user records was published to GitHub after an attacker claimed to have compromised all Atlas systems
Cyber-crime Palo Alto VPN bug graduates from advisory to active exploitation Rapid7: Attackers exploit authentication bypass flaw in the wild, meaning more emergency patching for PAN-OS users
Security Password manager Dashlane suspends customer accounts amid brute-force attacks Engineers' weekends ruined as Dashlane's automatic protections kicked in
Networks Putin sends submarines to survey Britain's subsea cables. UK deploys Royal Navy, mobilizes parliamentary draftsmen Proposed legislation threatens fines and prison for reckless damage. Russian Prez must be shaking in his boots
Security Lone attacker published 14 malicious npm packages mimicking popular OpenSearch, Elasticsearch libraries And then Microsoft busted them all
public sector ICE to keep an eye on your eyes under $25M biometric scanner deal And you thought a face recognition app was intrusive?
Security No fix yet for critical RCE bug in open-source Git service Gogs - exploit module is out Researcher reported the vuln in March. Maintainers haven't responded to his messages since
Legal 23andMe inherits lawsuit over 'disturbing' DNA data breach California AG claims genetics biz downplayed 2023 mega-leak while paying ransom to attacker
Security Dutch cops wrest 17M devices from mystery botnet's clutches Hosting provider pulled the plug after police traced 200 servers to the Netherlands
Security ChatGPT blindly trusts browser content, turning the page into a payload You and me go ChatGPhish-ing in the dark
Research Russia-linked threat group put ChatGPT to work from lure to payload Researchers say 'GREYVIBE' crew used AI tools throughout a campaign targeting Ukrainian military and government
Cyber-Crime ShinyHunters adds Charter to trophy shelf after 4.9M customer records leak Telco giant says no sensitive data was taken, though names, addresses, phones, and emails are now out there
Security Troops’ phones gave away location data to foreign adversaries Lawmakers push DoD to tighten smartphone controls after adversaries exploited commercial tracking data
Security Disgruntled 0-day hunter 'humiliated' by Microsoft pledges 'bone shattering drop' as Redmond calls cops Six 0-days, three under active exploitation, more to come on July 14?
AI + ML Snowflake buys Natoma to help freeze out rogue agents It is the database titan’s sixth acquisition announcement since June 2025
OSes Microsoft tests the 15-character limit of Windows Server admins' patience May security update trips over hostnames of a very specific length
Cyber-Crime Carnival confirms ShinyHunters cruised off with 6M customer records after April breach Travel and leisure giant was just one of many victims of the cybercrooks' crime spree this year
Security Company CEO flooded file share with smut, called for help after he deleted it Also, missing school iPad resurfaced after coach’s kids uploaded video to YouTube
cyber-crime CrowdStrike, Google shatter Glassworm botnet Developer-targeted, supply-chain attacks all the rage these days
AI + ML Bosses blinded by confidence about shadow AI use by workers More than half of orgs in Okta survey faced an AI-related security incident or near miss last year
Security Extortion crews are visiting law firms pretending to be tech support, FBI warns Cybercriminals still allowed to walk into office blocks and convince staff to let them plug in their own thumb drives
Security India's cyber agency sets clock at 12 hours to tackle exploited bugs as AI turns up the heat CERT-In says internet-facing or critical systems should be patched, mitigated, or cut off within half a day where feasible
Security How to guarantee a speaker gig: Hack the system. Literally Make your mark on the call-for-proposal platform
cyber-crime MyPillow must decide whether to be firm or soft as ransomware crims demand pay Guess they could deny the alleged intrusion … like the 2020 election results
Security Experts pour cold borscht on Farage's Russian hack claim Reform UK leader alleges Moscow broke into his phone and leaked £5M gift story, but security specialists await evidence
Security Anthropic to release Mythos-class models to the public AI flaw-finder still under lock and key for now while company figures out guardrails, but extends access to more users including governments
Security AI eyes scanning for bugs create a worrisome Linux security trend Dirty Frag, Copy Fail, and Fragesia show the new reality
Security A Russian speaker and jailbroken Gemini went on a hacking spree and emptied at least one MAGA victim's crypto wallets Hey, Gemini, how much can we earn from one pump-and-dump cycle?
security Techie claims Trump Mobile website was leaking thousands of people's data Customers' info potentially handed to anyone who could send an HTTP request
Security Cisco used AI to write security incident reports, with mixed results You’ll need a lot of detailed prompts to get solid output - and even then it may have errors and typos
Security Dems slam Trump for making cybersecurity hold out the tin cup while splurging on ballroom and Jan. 6 'slush fund' 'Budgets are moral documents,' Rep. Delia Ramirez said
DevOps Threat hunters find Google API keys still usable 23 minutes after deletion Plenty of time for cyber crims to grab data or hit you with a giant bill
Security HackerOne takes an axe to its bug bounty rewards Critical flaw payouts slashed by more than 75%
Security Attackers spill plaintext passwords of 46k Myspace93 users after 2021 breach Leakage blamed on treacherous friends exposed unencrypted credentials, email addresses
Security Cisco serves up yet another perfect 10 bug with Secure Workload admin flaw Switchzilla says attackers could access sensitive data and make configuration changes across tenant boundaries through vulnerable internal APIs
Security Microsoft storms RAMPART, adds Clarity to agentic AI safety Redmond open sources two tools for building and maintaining safer agents
Security Zombie user account let hackers control the city’s water Failing to disable a former employee’s account was a huge mistake
Security Even Claude agrees: hole in its sandbox was real and dangerous Another day, another AI bug silently fixed with no CVE and no public disclosure
DevOps GitHub says internal repos exfiltrated after poisoned VS Code extension attack Initial assessment says customer data spared while users wonder what else may have slipped out
Databases London's police asked Big Tech for comms data over 700,000 times last year A Freedom of Information Act request shows the extent of the surveillance
Security Microsoft shuts down illegal code-signing operation used by ransomware crims to mask their malware 'Thousands' of US victims, including 12+ machines owned and operated by Redmond
Security America's top cyber-defense agency left a GitHub repo open with passwords, keys, tokens – and incredibly obvious filenames I wonder what's in 'external-secret-repo-creds.yaml' and 'AWS-Workspace-Firefox-Passwords.csv'?
Security Clear your calendar, Drupal user: You have a critically urgent patch to install The org’s staying mum on the details, but Wednesday’s fixes reach back to unsupported 8.9 branches
Security Do fear the Reaper - stealer swipes macOS users' passwords, wallets, then backdoors them While also spoofing all the trusted domains - Apple, Microsoft, and Google - in the same attack
Cyber-Crime Shai-Hulud copycat worm infects yet another npm package Plus three other stealers in three other packages, all from the same scumbag
Security Linux kernel flaw opens root-only files to unprivileged users Plus ModuleJail, a radical proposal for minimizing the impact of similar bugs
Hardening open source projects may deter contributions TanStack weighs invitation-only pull requests after supply chain attack Shai-Hulud worm exploited GitHub Actions misconfiguration to poison shared cache, now project weighing nuclear option on unsolicited contributions
Security NGINX Rift attackers waste no time targeting exposed servers Researchers say 18-year-old flaw already being probed and exploited just days after disclosure
Security Poland directs officials to ditch Signal in favor of 'secure' state-developed alternative Shift comes amid mounting reports of successful social engineering attacks targeting higher-ups in government
Security F-35 software delays leave UK buying time with US glide bombs MoD says StormBreaker will plug gap until homegrown SPEAR 3 integration lands
Security Mozilla warns UK: Breaking VPNs will not magically fix Britain's age-check mess Firefox maker says the tools are basic security infrastructure, not teenage contraband
Cyber-Crime Grafana Labs admits all its codebase are belong to someone who popped its GitHub account No customer info stolen, no impact to operations, and no blackmail payment
Security Linus Torvalds says AI-powered bug hunters have made Linux security mailing list ‘almost entirely unmanageable’ Multiple researchers using the same tools to find the same bugs are creating ‘unnecessary pain and pointless work’
Security OpenAI caught in TanStack npm supply chain chaos after employee devices compromised Attackers stole a limited amount of internal credential material after malware hidden in poisoned packages reached two staff machines
Security MPs want social media treated more like unsafe toys than harmless apps Parliamentary committee tells ministers online safety regime is failing children and warns 'no action is not an option'
Security Nobody believes the 'criminals and scumbags' who hacked Canvas really deleted stolen student data Other than Instructure execs - maybe?
Security Cops arrest man suspected of being Dream Market kingpin Owe Martin Andresen faces charges in both US and Germany connected with money laundering, claims he sent gold bars directly to his doorstep
Security Dirty Frag gets a sequel as Fragnesia hands Linux attackers root-level access Fresh kernel flaw comes with public exploit code and continues ugly run of highly reliable privilege escalation bugs tied to memory and page-cache handling
Security To gain root access at this company, all an intruder had to do was ask nicely Human IT managers thought they were being nice to the boss, but were assisting a threat actor
AI +ML AI models are getting better at replacing cybersecurity pros on certain tasks UK researchers find LLMs are learning to finish jobs faster and improving all the time
Networks Cisco to fire 4,000 staff and generously give them free training – on Cisco Reducing memory requirements to control costs in a new wave of kit
patches Welcome to the vulnpocalypse, as vendors use AI to find bugs and patches multiply like rabbits Palo Alto Networks found and fixed 75 flaws this month, up from its usual five
Columnists AWS to Quick admins: The access control didn't work, but you weren't using it anyway, so what's the problem? If a setting fails in the forest and nobody hears it ...
Security Bug hunter tracks down three massive MCP flaws and one vendor won't fix theirs Apache, Alibaba databases vulnerable and only one has a patch
Security Mystery Microsoft bug leaker keeps the zero-days coming Security pros warn YellowKey claim could make stolen laptops a much bigger problem
Security Malware crew TeamPCP open-sources its Shai-Hulud worm on GitHub Where it’s been well and truly forked, seemingly without Microsoft’s code locker noticing
Public Sector Vietnam to develop domestic cloud so it can ditch risky overseas operators for government workloads Communist government plans personalized ‘data-driven decision-making based on real-time information’ by 2035
Security Doozy of a Patch Tuesday includes 30 critical Microsoft CVEs The good news: no 0-days. The bad news: busy week ahead for Microsoft admins
cyber-crime Foxconn confirms cyberattack after ransomware crew claims it stole confidential Apple, Nvidia files Affected factories back up and running, we're told
Security US bank reports itself after slinging customer data at 'unauthorized AI app' Volume and sensitivity of the data cited as chief concerns
Cyber-crime Cache-poisoning caper turns TanStack npm packages toxic Six-minute supply chain blitz pushed 84 malicious versions with credential theft and disk-wiping code
Security Apple, Google drag cross-platform texting into the encrypted age After years of stopping dead at the green bubble border, iPhone and Android users can finally send E2EE messages without relying on third-party apps
Security Japan’s PM orders cybersecurity review to stop Mythos going full CyberZilla Fears exponential increase in attack scale and speed
Security Double Canvas breach acknowledged as ShinyHunters sets new pay-or-leak deadline UPDATED: Sorry, kids, everything's back up so get to work on your new assignment - An essay on the ethics of paying ransoms, because it looks like that's what happened here
Security Cookie thieves caught stealing dev secrets via fake Claude Code installers New IElevator2 COM interface? No problem
Security Anthropic’s bug-hunting Mythos was greatest marketing stunt ever, says cURL creator After all that hype, AI scanner found one low-severity cURL flaw
Cyber-Crime BWH Hotels guests warned after reservation data checks out with cybercrooks Customers urged to keep an eye out for phisherfolk
DevOps Checkmarx tackles another TeamPCP intrusion as Jenkins plugin sabotaged Cybercrooks ruin engineers' weekends with Saturday attack
Security Worm rubs out competitor's malware, then takes control All your compromised credentials are belong to us now instead of the other gang
Security 'Dirty Frag' Linux flaw one-ups CopyFail with no patches and public root exploit Broken disclosure embargo left admins facing a fresh root-level flaw with no CVE
Security Meta U-turns on encryption push for Instagram as DMs go plaintext After years of insisting end-to-end encryption was the future of online comms, Zuckcorp has handed itself full visibility into user chats once again
Security Hackers ate my homework: Educational SaaS Canvas down after cyberattack ShinyHunters takes the credit and gives developer an F for security
Security Meta fights Ofcom over how many billions count as billions Social media biz says watchdog's fine formula is 'disproportionate' and should stop counting global revenue
security Mozilla boasts Mythos boosted Firefox bug cull Yet it remains unclear if Anthropic's uber model was effective, or if better model middleware is what makes the difference
security Anthropic response to 1-click pwn: Shouldn't have clicked 'ok' Security biz Adversa AI argues users of AI tools need clearer warnings
security 60% of MD5 password hashes are crackable in under an hour Happy World Password Day! Maybe it's finally time to kill this holiday in favor of World No-More-Passwords Day?
Security The network password was a key plot point in one of the most famous movies of all time Fortunately, it was a legit contractor who guessed it
AI + mL Arctic Wolf kicks 250 employees out of the pack to save money for AI Cuts appear to hit sales, product, and marketing, accounting for under 10% of staff
Security 1 in 8 employees totally cool with selling work credentials 13% say they’ve sold logins or know someone who has, survey suggests
Cyber-crime First reports come in of victims of critical cPanel vuln as 'millions' of sites potentially exposed
Security OpenAI locks GPT-5.5-Cyber behind velvet rope despite slamming Anthropic for doing exactly that
Security Passport to £££: Home Office adds £216M to travel doc contract before a single bid's been placed
Cyber-crime Nearly half of UK businesses pwned last year as phishing keeps doing the job like it's 2005
Cyber-crime What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia
Patches Microsoft's patch for a 0-day exploited by Russian spies fell short. Another Windows flaw is under attack
Security GitHub: Zounds, a genuinely helpful AI-assisted bug report that isn't total slop! Here, Wiz, take this wad of cash
Cyber-crime Burglar alarm biz burgled: ADT confirms cyber intrusion after ShinyHunters extortion attempt
Security If malware via monitor cables is a matter of national security, this might be the gadget for you
Security Nation-states want to cause harm, not just steal cash - stop handing your cyber defenses to the cheapest contractor
Security Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus
Security Google Chrome lacks protection against one of the most basic and common ways to track users online
Patches Patch these critical Fortinet sandbox bugs that let attackers bypass login, run commands over HTTP
Security Agents hooked into GitHub can steal creds – but Anthropic, Google, and Microsoft haven't warned users
Security Two different attackers poisoned popular open source tools - and showed us the future of supply chain compromise
Cyber-crime 'Several dozen' high-value corporations hit by new extortion crew in helpdesk phishing spree
