In a supply chain attack, attackers have injected malware into NPM packages with over 2.6 billion weekly downloads after compromising a maintainer's account in a phishing attack. [...]
Salesloft says attackers first breached its GitHub account in March, leading to the theft of Drift OAuth tokens later used in widespread Salesforce data theft attacks in August. [...]
With WSUS deprecated, it's time to move from an outdated legacy patching system to a modern one. Learn from Action1 how its modern patching platform offers cloud-native speed, 3rd-party coverage, real-time compliance, and zero infrastructure. Try it free now! [...]
Busy lawyers on hold for five hours as staff handhold users into deploying the security measure US courts have warned of delays as PACER, the system for accessing court documents, struggles to support users enrolling in its mandatory MFA program.... [...]
Plus: Google clears up Gmail concerns, NSA drops SBOM bomb, Texas sues PowerSchool, and more Infosec in brief The US Cybersecurity and Infrastructure Security Agency (CISA) has said two flaws in routers made by Chinese networking biz TP-Link are under active attack and need to be fixed – but there's …
Fallout from latest political drama sparks a changing of the guard UK prime minister Sir Keir Starmer cleared out the officials in charge of tech and digital law in a dramatic cabinet reshuffle at the weekend.... [...]
Just a few months after Elon Musk’s retreat from his unofficial role leading the Department of Government Efficiency (DOGE), we have a clearer picture of his vision of government powered by artificial intelligence, and it has a lot more to do with consolidating power than benefitting the public …
iCloud Calendar invites are being abused to send callback phishing emails disguised as purchase notifications directly from Apple's email servers, making them more likely to bypass spam filters to land in targets' inboxes. [...]
The Czech Republic's National Cyber and Information Security Agency (NUKIB) is instructing critical infrastructure organizations in the country to avoid using Chinese technology or transferring user data to servers located in China. [...]
VirusTotal has discovered a phishing campaign hidden in SVG files that create convincing portals impersonating Colombia's judicial system that deliver malware. [...]
The chairman of the Federal Trade Commission (FTC) last week sent a letter to Google’s CEO demanding to know why Gmail was blocking messages from Republican senders while allegedly failing to block similar missives supporting Democrats. The letter followed media reports accusing Gmail of disproportionately flagging messages from …
New research (paywalled): Editor’s summary: Cephalopods are one of the most successful marine invertebrates in modern oceans, and they have a 500-million-year-old history. However, we know very little about their evolution because soft-bodied animals rarely fossilize. Ikegami et al. developed an approach to reveal squid fossils, focusing on …
tldr; boffins did it interview It all started as an idea for a research paper.... [...]
Pro tip, don't install PowerShell commands without approval A team of data thieves has doubled down by developing its CastleRAT malware in both Python and C variants. Both versions spread by tricking users into pasting malicious commands through a technique called ClickFix, which uses fake fixes and login prompts …
Microsoft says it has been enforcing multifactor authentication (MFA) for Azure Portal sign-ins across all tenants since March 2025. [...]
I am pleased to announce the imminent publication of my latest book, Rewiring Democracy: How AI will Transform our Politics, Government, and Citizenship : coauthored with Nathan Sanders, and published by MIT Press on October 21. Rewriting Democracy looks beyond common tropes like deepfakes to examine how AI technologies will …
9.9-rated flaw on the loose, so patch now A critical code-injection bug in SAP S/4HANA that allows low-privileged attackers to take over your SAP system is being actively exploited, according to security researchers.... [...]
Wealthsimple, a leading Canadian online investment management service, has disclosed a data breach after attackers stole the personal data of an undisclosed number of customers in a recent incident. [...]
An Argo CD vulnerability allows API tokens with even low project-level get permissions to access API endpoints and retrieve all repository credentials associated with the project. [...]
Identity Governance & Administration (IGA) is critical to keeping data secure, ensuring only the right people have access to the right resources. But legacy IGA is slow, costly, and code-heavy. Learn from tenfold why Modern IGA solutions deliver faster out-of-the-box integrations, streamlined governance, and built-in compliance. [...]
A critical SAP S/4HANA code injection vulnerability is being leveraged in attacks in the wild to breach exposed servers, researchers warn. [...]
Interesting experiment : To design their experiment, the University of Pennsylvania researchers tested 2024’s GPT-4o-mini model on two requests that it should ideally refuse: calling the user a jerk and giving directions for how to synthesize lidocaine. The researchers created experimental prompts for both requests using each of seven …
Affinity Learning Partnership warns staff after Intradev breach A major UK education trust has warned staff that their personal information may have been compromised following a cyberattack on software developer Intradev in August.... [...]
You cut and pasted the machine key from the official documentation? Ouch Unknown miscreants are exploiting a configuration vulnerability in multiple Sitecore products to achieve remote code execution via a publicly exposed key and deploy snooping malware on infected machines.... [...]
Wednesday’s discovery of three mis-issued TLS certificates for Cloudflare’s 1.1.1.1 encrypted DNS lookup service generated intense interest and concern among Internet security practitioners. The revelation raised the possibility that an unknown entity had obtained the cryptographic equivalent of a skeleton key that could be …
AI agent system said to have found more than 100 zero-day flaws in production apps AI models get slammed for producing sloppy bug reports and burdening open source maintainers with hallucinated issues, but they also have the potential to transform application security through automation.... [...]
Defrauding search with custom malware, Potato-family exploits A new China-aligned cybercrime crew named GhostRedirector has compromised at least 65 Windows servers worldwide - spotted in a June internet scan - using previously undocumented malware to juice gambling sites' rankings in Google search, according to ESET researchers.... [...]
Threat actors have been exploiting a zero-day vulnerability in legacy Sitecore deployments to deploy WeepSteel reconnaissance malware. [...]
Texas Attorney General Ken Paxton has filed a lawsuit against education software company PowerSchool, which suffered a massive data breach in December that exposed the personal information of 62 million students, including over 880,000 Texans. [...]
Chess.com has disclosed a data breach after threat actors gained unauthorized access to a third-party file transfer application used by the platform. [...]
TP-Link has confirmed the existence of an unpatched zero-day vulnerability impacting multiple router models, as CISA warns that other router flaws have been exploited in attacks. [...]
The French data protection authority has fined Google €325 million ($378 million) for violating cookie regulations and displaying ads between Gmail users' emails without their consent. [...]
The browser is now the frontline for cyberattacks. From phishing kits and ClickFix lures to malicious OAuth apps and extensions, attackers are targeting the very place your employees access business-critical apps. Push Security explains how to defend where breaches begin. [...]
Car tire giant Bridgestone confirms it is investigating a cyberattack that impacts the operation of some manufacturing facilities in North America. [...]
Nexthink estimates ESU bills could top $7.3B as millions of devices set to miss upgrade deadline Free support is ending for many editions of Windows 10 on October 14, and enterprises unable to make the jump are on the hook for billions to keep the fixes flowing.... [...]
Microsoft says the August 2025 security updates are triggering unexpected User Account Control (UAC) prompts and app installation issues for non-admin users across all supported Windows versions. [...]
Anthropic reports on a Claude user: We recently disrupted a sophisticated cybercriminal that used Claude Code to commit large-scale theft and extortion of personal data. The actor targeted at least 17 distinct organizations, including in healthcare, the emergency services, and government and religious institutions. Rather than encrypt the stolen …
Privacy campaigners cry foul as grocer joins Asda, Iceland, and others in retail surveillance boom Sainsbury's, Britain's second-largest supermarket chain, has caught the attention of privacy campaigners by launching an eight-week trial of live facial recognition (LFR) tech in two of its stores to curb shoplifting.... [...]
Web giant and Chinese e-tailer whacked for dropping trackers without permission France’s data protection authority levied massive fines against Google and SHEIN for dropping cookies on customers without securing their permission, and also whacked Google for showing ads in email service.... [...]
Seven-year-old Cisco vuln that remains inexplicably unpatched is their way in The US State Department has put a $10 million bounty on the heads of three Russians accused of being intelligence agents hacking America's critical infrastructure - primarily via old Cisco kit, it seems.... [...]
Clock is ticking US security leaders have urged lawmakers to reauthorize two key pieces of cyber legislation, including one that facilitates threat-intel sharing between the private sector and federal government, before they expire at the end of the month.... [...]
Threat actors are using Grok, X's built-in AI assistant, to bypass link posting restrictions that the platform introduced to reduce malicious advertising. [...]
September bundle the largest this year, and possibly the most serious Patch Tuesday is next week, but Android is ahead of the game, dropping its biggest patch bundle this year while attackers actively exploit two of the now-fixed flaws.... [...]
LLMs and 0-days - what could possibly go wrong? Attackers on underground forums claimed they were using HexStrike AI, an open-source red-teaming tool, against Citrix NetScaler vulnerabilities within hours of disclosure, according to Check Point cybersecurity evangelist Amit Weigman.... [...]
The U.S. Department of State is offering a reward of up to $10 million for information on three Russian Federal Security Service (FSB) officers involved in cyberattacks targeting U.S. critical infrastructure organizations on behalf of the Russian government. [...]
People in Internet security circles are sounding the alarm over the issuance of three TLS certificates for 1.1.1.1, a widely used DNS service from content delivery network Cloudflare and the Asia Pacific Network Information Centre (APNIC) Internet registry. The certificates, issued in May, can be used …
Hackers are increasingly using a new AI-powered offensive security framework called HexStrike-AI in real attacks to exploit newly disclosed n-day flaws. [...]
The U.S. Department of Justice has sued toy maker Apitor Technology for allegedly allowing a Chinese third party to collect children's geolocation data without their knowledge and parental consent. [...]
AI-powered ransomware, extortion chatbots, vibe hacking... just wait until agents replace affiliates It's no secret that AI tools make it easier for cybercriminals to steal sensitive data and then extort victim organizations. But two recent developments illustrate exactly how much LLMs lower the bar for ransomware and other financially …
The Alliance for Creativity and Entertainment (ACE) and Egyptian authorities have shut down Streameast, the world's largest illegal live sports streaming network, and arrested two people allegedly associated with the operation. [...]