From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase.
The post Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents appeared first on SecurityWeek.
Locked Shields has grown significantly over the past 16 years, with only four nations participating in the first edition.
The post Locked Shields 2026: 41 Nations Strengthen Cyber Resilience in World’s Biggest Exercise appeared first on SecurityWeek.
The malware provides remote access and control of infected devices and maintains post-patching persistence.
The post US Federal Agency’s Cisco Firewall Infected With ‘Firestarter’ Backdoor appeared first on SecurityWeek.
The Trump administration is vowing to crack down on foreign tech companies’ exploitation of U.S. artificial intelligence models.
The post Trump Administration Vows Crackdown on Chinese Companies ‘Exploiting’ AI Models Made in US appeared first on SecurityWeek.
CrowdStrike has fixed a critical LogScale vulnerability, while Tenable addressed a high-severity Nessus flaw.
The post Vulnerabilities Patched in CrowdStrike, Tenable Products appeared first on SecurityWeek.
Tied to a fresh Checkmarx supply chain attack claimed by TeamPCP, the incident references the Shai-Hulud worm.
The post Bitwarden NPM Package Hit in Supply Chain Attack appeared first on SecurityWeek.
The Israel-based company, which just emerged from stealth mode, was founded by cloud and security experts from RSA, McAfee, and Unity.
The post Copperhelm Raises $7 Million for Agentic Cloud Security Platform appeared first on SecurityWeek.
Cybersicherheit zu messen, ist kein Kinderspiel.
Foto: Ultraskrip – shutterstock.com
Eine wichtige Säule jedes ausgereiften Cyberrisk-Programms ist die Fähigkeit, die Performance der IT-Security und registrierte Bedrohungen zu messen, zu analysieren und zu melden. Die Cybersecurity zu messen, ist allerdings kein leichtes Unterfangen: Einerseits, weil sich viele Führungskräfte ohne entsprechenden Background schwer tun, IT-Risiken zu verstehen. Andererseits verstricken sich Sicherheitsprofis auch zu oft in technische Details, die die Stakeholder verwirren und auf den falschen Weg führen.
Das ideale Szenario: Security-Experten messen und reporten die Cybersicherheit auf eine Art und Weise, die für Führungskräfte leicht verständlich und nützlich ist – was zu umsetzbaren Ergebnissen führt. Klingt gut? Dieser Artikel vermittelt Ihnen, wie Sie das anstellen.
Die meisten Stakeholder beschäftigen Fragen zu Risiken, Compliance oder Sicherheit. Diese lassen sich jedoch in der Regel nicht mit einem einzigen Datenpunkt beantworten. Doch es gibt eine Reihe von Dingen, die Security-Profis messen können, um auf die Fragen und Bedenken der Stakeholder einzugehen. Diese lassen sich (grob) in folgende Kategorien einordnen:
Kontrollen: Maßnahmen, die ergriffen werden, um Bedrohungen abzuwehren und Risiken zu reduzieren.
Assets: Jeder Gegenstand, der für die Organisation einen Wert besitzt, beziehungsweise sich in ihrem Besitz befindet.
Vulnerabilities: Schwachstellen in einem System, die ausgenutzt werden können.
Threat Events: Von einer Bedrohung ausgelöste Ereignisse, die Assets potenziell Schaden zufügen können.
Sicherheitsvorfälle: Ereignisse, die “erfolgreich” Wirkung auf das Unternehmen entfaltet haben, etwa in Form von (System-)Ausfällen, Datenschutzverletzungen oder Cyberangriffen.
Diese Kategorien lassen sich weiter nach verschiedenen Faktoren aufschlüsseln: Zahlen, Zeit oder Kosten.
Zahlen könnten beispielsweise in Form des Prozentsatzes der ungepatchten Server gemessen werden. Eine weitere Möglichkeit: Sie messen die Zeit, die benötigt wurde, um einen Sicherheitsvorfall zu identifizieren. Schließlich könnten Kosten – zum Beispiel in Form von Wiederherstellungs- oder Ausfallkosten – Aufschluss über die finanziellen Auswirkungen von Security-Ereignissen geben.
Wenn Security-Profis oder -Entscheider an Business Teams berichten, sollten sie dazu möglichst relevante Messerwerte wählen. Dabei konzentrieren sich die meisten Sicherheitsteams auf Metriken, die Low-Level-Messungen bezüglich Assets, Schwachstellen und Threat Events abbilden. Auf Führungs- und Vorstandsebene sind hingegen vor allem KPIs (Key Performance Indicators) und KRIs (Key Risk Indicators) entscheidend, weil diese dazu beitragen können, spezifische Fragen in Bezug auf IT-Risiko, -Status und -Vorbereitung zu beantworten. Beispielsweise:
Sind wir sicher?
Liefern die Sicherheitsinvestitionen dem Unternehmen Mehrwert?
Erfüllen wir aus Sicherheitsperspektive alle regulatorischen Anforderungen?
Wie gut sind wir auf Ransomware- oder Supply-Chain-Angriffe vorbereitet?
Deshalb sollten sich Security-Praktiker auch auf KPIs und KRIs konzentrieren.
Sie wollen weitere interessante Beiträge rund um das Thema IT-Sicherheit lesen? Unser kostenloser Newsletter liefert Ihnen alles, was Sicherheitsentscheider und -experten wissen sollten, direkt in Ihre Inbox.
Der Aufbau des richtigen Messrahmens ist ein schrittweiser, iterativer Prozess. Im Folgenden die fünf wichtigsten Schritte, um einen Security Measurement Cycle aufzubauen.
1. Anforderungen definieren
Sprechen Sie mit relevanten Stakeholdern, um deren Bedürfnisse zu definieren und zu verstehen. Diese haben zu diesem Zeitpunkt möglicherweise noch kein umfassendes Verständnis über IT-Risiken – oder ihre eigenen Anforderungen. Deshalb ist für Security-Praktiker ein Bottom-Up-Ansatz empfehlenswert, bei dem sie selbst die Initiative ergreifen und Fragen zu stellen, um die Anforderungen definieren zu können.
2. Key Indicators auswählen
Sobald die Anforderungen der Stakeholder definiert sind, sollten Sicherheitsexperten diejenigen Key Indicators auswählen, die auf diese einzahlen. Dabei sollten die Stakeholder konsultiert und über die beabsichtigten, späteren Messungen informiert werden.
Wenn die Stakeholder die Key Indicators kennen, können sie Maßnahmen ergreifen oder Entscheidungen treffen. Die Schlüsselindikatoren sollten auf hoher Ebene angesiedelt sein – und ihre Anzahl überschaubar bleiben. Das Ziel besteht schließlich darin, die Entscheidungsfindung zu erleichtern.
3. Metriken identifizieren
Nachdem Ziele und Key Indicators festgelegt sind, gilt es für die Sicherheitsteams, die Low-Level-Messgrößen zu fokussieren, die dabei unterstützen, die Indikatoren zu reporten. Das kann – je nach Art des Indikators – bedeuten, dass Dutzende von Metriken aus den verschiedenen oben beschriebenen Messkategorien erforderlich sind.
4. Metriken sammeln und analysieren
Da die Anforderungen nun feststehen, die Schlüsselindikatoren ausgewählt und die Messgrößen festgelegt sind, können die Praktiker nun damit beginnen, Daten auf dieser Grundlage zu sammeln und zu analysieren. Metriken dürfen dabei nur aus Daten abgeleitet werden, die akkurat, aktuell, relevant und vertrauenswürdig sind. Anderenfalls kann es zu Entscheidungen kommen, die schwerwiegende Folgen für die Sicherheitslage des Unternehmens nach sich ziehen.
Es ist die Aufgabe der Security-Teams, Wege zu finden, Daten kontinuierlich zu sammeln (die meisten Messungen erfordern einen Überblick über Trends im Zeitverlauf) und den Prozess vorzugsweise so weit wie möglich zu automatisieren (ein manueller Prozess kann ermüdend und zeitaufwändig sein).
5. Key Indicators reporten
Key Indicators müssen zeitnah an die Entscheidungsträger reported werden. Dabei sollten sich Security-Profis und Stakeholder auf einen zeitlichen Rhythmus einigen – ebenso wie über die Art der Berichterstattung: Sind Dashboards erforderlich oder reichen Powerpoint-Präsentationen aus? Die Schlüsselindikatoren sollten deutlich sichtbar und leicht verständlich sein, um zu Entscheidungen oder Maßnahmen zu führen.
Darüber hinaus ist es wichtig, nach jedem Berichtszyklus die Key Indicators zu überprüfen und sie (unter Einbeziehung der Stakeholder) neu zu bewerten. Haben sich die geschäftlichen Anforderungen tatsächlich geändert, müssen die Anforderungen erneut definiert und ein anderer Satz von Indikatoren und Messgrößen erarbeitet werden.
Unternehmen, Stakeholder und Sicherheitsexperten sollten keine Angst vor Rückwärts- oder Vorwärtsschritten haben: Die Fähigkeit, nach einem schnellen Fail direkt weiterzumachen, zu improvisieren oder sich neu auszurichten sind entscheidende Fähigkeiten, wenn es darum geht, Cybersicherheit erfolgreich zu messen. (fm)
Dieser Beitrag basiert auf einem Artikel unserer US-Schwesterpublikation CSO Online.
Researchers warn of a new software supply chain attack that resulted in a malicious version of Bitwarden CLI, the terminal version of the extremely popular open-source password manager. The attack is believed to be related to the string of recent supply chain compromises attributed to a group called TeamPCP.
“The attack appears to have leveraged a compromised GitHub Action in Bitwarden’s CI/CD pipeline, consistent with the pattern seen across other affected repositories in this campaign,” researchers from security firm Socket.dev said in a report.
The attackers managed to publish a malicious Bitwarden CLI version 2026.4.0 on the npm registry. The version did not have a corresponding official release on the project’s GitHub repository and was detected and deleted in around 1.5 hours, between 5:57 PM and 7:30 PM ET on April 22.
“The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised,” Bitwarden said in a statement on its community forums. “Once the issue was detected, compromised access was revoked, the malicious npm release was deprecated, and remediation steps were initiated immediately.”
The attack appears to be related to the recent supply chain compromise that impacted the Docker images and VS Code extensions of the KICS infrastructure-as-code vulnerability scanner from security firm Checkmarx. The group alleged to be involved, TeamPCP, has been responsible for a wave of supply chain attacks that have impacted open-source projects in recent months, including the Trivy security scanner.
Luckily the new attack only impacted the CLI version of Bitwarden and not the much more widely used web browser extension and other client applications. Bitwarden is estimated to have over 10 million users, including 50,000 business customers.
The trojanized Bitwarden CLI version 2026.4.0 contained a custom loader called bw_setup.js that checks if the bun package manager is installed and then uses it to execute bw1.js. If bun doesn’t exist, it is downloaded and installed from GitHub.
According to an analysis by security firm JFrog, the malicious payload is designed to detect and collect a board range of credentials and access tokens from the filesystem, shell environment variables, and GitHub actions configurations. Targeted credentials include GitHub and npm tokens, AWS and GCP credentials, API keys from MCP and AI agent configurations, Git credentials, SSH keys, and more.
If GitHub tokens are found, the malicious code automatically weaponizes them by contacting https://api.github.com/user and trying several escalation paths, including executing GitHub Actions and listing secrets from their workflows.
“This is not passive credential theft,” the JFrog researchers said. “It is a secondary access mechanism built to extract more secret material from GitHub-hosted automation environments.”
Users who determined that their Bitwarden CLI installation was updated to the malicious 2026.4.0 version should assume developer and cloud credentials present on their machine have been compromised and should be rotated immediately. The goal of this attacker group is to gather credentials that would enable additional software supply chain attacks.
After uninstalling the malicious version, clearing the npm cache, deleting bw1.js and bw_setup.js from the system, the JFrog researchers recommend:
audit[.]checkmarx[.]cx and 94[.]154[.]172[.]43 at network egress pointsWhy “more alerts” isn’t the same as better security
If you run security in an enterprise environment, you already know the problem. Generic detection tools generate thousands of alerts, most of them low value. Analysts spend hours chasing noise while attackers quietly move laterally using valid credentials and trusted tools.
AI‑driven threat detection promises to fix this, but not every “AI‑powered” platform actually delivers at enterprise scale. Real cyber resilience depends on something much simpler and harder to get right: detecting threats faster, containing them sooner, and reducing the operational impact when something slips through.
Here are three practical ways AI threat detection helps make that happen.
Traditional, rule‑based detection only catches what it already knows. That works for known malware and predictable attacks, but it breaks down when attackers use stolen credentials, PowerShell, or built‑in admin tools. Nothing looks obviously malicious, so alerts either never fire or fire constantly without context.
AI‑driven detection flips the model. Instead of matching signatures, it builds behavioral baselines for users, endpoints, identities, and cloud workloads, then flags deviations that don’t fit normal patterns.
At enterprise scale, this matters because:
Platforms like Adlumin MDR™ apply behavioral models and automated triage to suppress low‑value alerts and elevate incidents that actually matter. Fewer alerts, better context, and clearer prioritization reduce analyst fatigue and improve detection speed.
From a resilience standpoint, this is the first win: faster detection means attackers have less time to move, escalate privileges, or reach critical systems.
Most serious incidents aren’t a single event. They’re a chain of small actions that only look dangerous when viewed together.
A failed login by itself is noise. Pair that login with unusual file access, an unexpected VPN session, and a new process on a server, and suddenly you have an incident worth acting on.
AI‑driven detection at enterprise scale depends on cross‑telemetry correlation, pulling signals together from endpoints, identity providers, networks, and cloud services before analysts ever see an alert. This turns weak signals into actionable incidents.
Automated triage takes it a step further by:
That automation is critical when attacks start moving quickly. Containing threats early reduces lateral movement and keeps incidents from turning into business‑level disruptions.
This is where MDR really enables cyber resilience. It is not just about detection. It is about shrinking the window between intrusion and containment.
Detection alone does not equal resilience. Enterprise environments need coverage before, during, and after an attack.
A practical framework looks like this:
AI threat detection sits squarely in the “during” phase, but its real value shows up when it is integrated with prevention and recovery. That handoff is where point solutions usually fail and where platform approaches hold up under pressure.
AI threat detection fails when it is bolted onto architectures designed for simpler environments. It works when behavioral detection, correlation, automation, and human expertise operate together as a system built for scale, segmentation, and lean teams.
For IT security leaders, the takeaway is practical: cyber resilience improves when detection reduces noise, response happens faster, and recovery is ready when needed. MDR enables that by changing how quickly teams can see and stop what matters.
Discover what 500+ midmarket leaders are experiencing as AI reshapes the threat landscape in the Futurum research report: Cybersecurity in the Age of AI: Moving from Fragile to Resilient.
Donald Trump’s nominee to lead the Cybersecurity and Infrastructure Security Agency (CISA), Sean Plankey, informed Homeland Security Secretary Markwayne Mullin and the White House that he is withdrawing his nomination after a 13-month stall, during which the well-regarded cybersecurity veteran faced mounting resistance.
“After thirteen months since my initial nomination, it has become clear the Senate will not confirm me,” he wrote in a letter sent to the White House, according to Politico.
Plankey was nominated by Trump last March but failed to be confirmed by the end of 2025. He was renominated in January, only to face resistance to his confirmation. While he waited for his CISA confirmation, he worked for then-DHS Secretary Kristi Noem on Coast Guard issues, retiring from the Coast Guard last month.
The administration’s failure to confirm Plankey comes amid great turmoil at the nation’s cybersecurity agency, which has suffered severe staff reductions and budget cuts since the start of Trump’s current administration, capped by the sudden departure of CISA’s acting director, Madhu Gottumukkala, in February, who was moved into a position at DHS following revelations of embarrassing security missteps he made during his short tenure.
Policy experts say this turmoil is not simply bureaucratic drift — it weakens US cybersecurity at a dangerous moment, inviting foreign adversaries to exploit the aimlessness of an agency that is crucial to national security. “It’s hard for an agency to go this long without confirmed leadership,” Michael Daniel, president and CEO of the Cyber Threat Alliance (CTA), told CSO. “That’s not a good place for the country to be.”
Although neither Plankey nor the White House has clearly stated why his nomination stalled, a series of poorly sourced allegations and reported behind-the-scenes maneuvering over the past few months indicate that adversaries to Plankey’s confirmation were working to derail his leadership of the agency.
On the surface, two Senators vowed to stop Plankey’s CISA confirmation. Sen. Rick Scott (R-FL) blocked Plankey’s nomination due to a Coast Guard issue. At the same time, Sen. Ron Wyden (D-OR) held up Plankey’s nomination to force CISA to release an unclassified report on telephone network security.
A knowledgeable source told CSO they heard on the “backchannel” that someone on the Senate side called on US Representative Hillary Scholten (D-MI) to send a March 24 letter to DHS Inspector General Joseph Cuffari to investigate Plankey’s connection to a government contracting firm, alleging that he failed to cut his financial ties with the firm before his CISA nomination.
However, the CEO of that firm told CSO he was blindsided by Scholten’s letter and that Plankey had forfeited all financial interest in the company prior to the announcement of his CISA nomination. The CEO told CSO he sent a letter to the Coast Guard detailing the facts after Scholten — who he said never contacted his company — sent her letter to DHS.
CSO contacted Scholten’s office multiple times seeking comment, but received no response. CSO also received no response to the questions surrounding this letter from either DHS or CISA. CSO made efforts to reach Plankey for comment, but yielded no response.
On March 3, Ana Visneski, a former head of global disaster response at Amazon Web Services and former chief of digital media for the US Coast Guard, posted on Bluesky that she was “hearing from multiple sources” that Plankey “has been fired and escorted out of Coast Guard HQ by security,” a post that was picked up by at least one influential military analyst. Visneski did not respond to CSO’s request for comment.
Following Visneski’s social media post, CBS News published a report repeating the allegation, saying that Plankey was abruptly escorted out of the US Coast Guard headquarters and had his access badge removed. CBS News also reported that sources said Plankey’s renomination was made in error, which the White House denied.
The CBS report also highlights longstanding tensions between Plankey and Madhu Gottumukkala over cybersecurity contracts. Gottumukkala had been former DHS Secretary Kristi Noem’s CIO in South Dakota, and Plankey, by all accounts, had an excellent relationship with Noem while at DHS.
Two sources told CSO that it was highly unlikely that Plankey was fired because he received a Coast Guard award days after he was supposedly escorted out of the building, and, moreover, he was still the CISA nominee at that point, an unlikely status if he had indeed been fired.
Whatever harm may have been done to Plankey, it is certain that the lack of leadership at CISA risks damage to the nation’s security, particularly in the middle of the Iran war.
“Cybersecurity is not just a law enforcement or an economic issue,” CTA’s Daniel said. “It’s both of those things, but it is also a national security issue. And we are in a position now where we have started a hot war, a kinetic war.”
He added, “One of the tools that Iran has at its disposal is its cyber capabilities, and it would be foolish of anyone to think that Iran would not at least consider targeting US critical infrastructure because of that ongoing conflict. You have left your nation’s cyber defense agency, which is responsible for working with critical infrastructure across the whole country, leaderless when you’re in an active hot conflict. So that seems like a problem to me.”
Just how long CISA will be leaderless is unclear. One thing that is clear is that Plankey will support whoever does become the next CISA leader.
“While I humbly request the removal of my nomination, I wholeheartedly support President Trump’s upcoming nomination for CISA and look forward to the continued success of the United States of America,” Plankey told the White House.
In the end, the story may be less about Sean Plankey than about what happens when Washington treats cybersecurity leadership as expendable. Leaving the nation’s primary cyber defense agency weakened, underfunded, and without confirmed leadership is not simply a personnel problem — it is a national security risk.
A supply chain attack targeting Checkmarx tooling has exposed developer environments.
Attackers pushed malicious Docker images and tampered extensions capable of stealing credentials and other sensitive data.
This “… continues a dangerous trend that’s accelerated over the past month: CI/CD pipelines have become the new perimeter,” said Eli Woodward, Cyber Threat Intelligence Advisor at Team Cymru in an email to eSecurityPlanet.
He added, “Instead of flashy zero-days or sophisticated phishing campaigns, TeamPCP is methodically abusing trusted resources across our technology ecosystems.”
The compromise centers on Keeping Infrastructure as Code Secure (KICS), a widely used tool designed to scan Terraform, Kubernetes, and other cloud configuration files for security risks.
Socket researchers discovered that attackers poisoned official images in the checkmarx/kics Docker Hub repository, modifying the bundled KICS binary to include hidden data collection capabilities.
As a result, scan outputs — often containing sensitive configuration details, credentials, or secrets — could be silently harvested and transmitted to attacker-controlled infrastructure.
The risk is amplified because KICS is commonly embedded in CI/CD pipelines, meaning organizations may have unknowingly exposed sensitive infrastructure data during routine automated scans.
Several commonly used tags, including v2.1.20, alpine, debian, and latest, were temporarily redirected to malicious images before being restored.
A rogue v2.1.21 tag was also introduced despite not corresponding to any legitimate upstream release.
As the investigation progressed, it became clear the incident extended beyond just compromised container images.
Researchers identified suspicious behavior in Checkmarx-related VS Code extensions, pointing to a broader, coordinated supply chain attack across multiple distribution channels.
Deeper analysis revealed that certain extension versions (notably 1.17.0 and 1.19.0) contained hidden functionality that downloaded and executed a second-stage payload, mcpAddon.js, using the Bun runtime.
The payload was fetched from a hardcoded GitHub URL tied to a backdated, manipulated commit in Checkmarx’s repository, allowing attackers to leverage a trusted source to evade detection.
The mcpAddon.js payload functions as a comprehensive credential harvester, targeting sensitive data such as GitHub tokens, cloud credentials, npm configs, SSH keys, and environment variables.
Once collected, the data is compressed, encrypted, and exfiltrated to external infrastructure and attacker-controlled public GitHub repositories, sometimes within victim accounts.
In some cases, repository metadata and commit messages were also used as covert staging channels.
This campaign represents a sophisticated, multi-stage software supply chain compromise.
It combines techniques such as Docker image poisoning via tag overwrites, Git history manipulation with backdated commits, RCE through developer extensions, and CI/CD pipeline abuse.
Using stolen GitHub credentials, the malware propagates by identifying repositories with secrets, creating new branches, and injecting malicious workflows to extract those secrets as artifacts.
These workflows execute automatically upon commit and are later removed to reduce forensic visibility, enabling the attack to scale across repositories, organizations, and pipelines.
Researchers have confirmed a working attack chain, though parts of the operation remain under active investigation.
A threat actor group known as TeamPCP is claiming responsibility for the incident.
This campaign also appears to extend beyond just Checkmarx tooling.
Separate findings show the Bitwarden CLI was also compromised via a similar GitHub Actions vector, indicating a broader supply chain attack targeting developer tools and CI/CD pipelines.
Socket’s research team is continuing to investigate the Bitwarden incident as well.
Organizations should treat this incident as a supply chain and credential exposure issue rather than a standalone tooling problem.
While immediate containment is important, longer-term risk reduction depends on strengthening controls across CI/CD pipelines, dependencies, and identity management.
Taking these steps helps organizations build resilience against supply chain attacks while limiting the potential blast radius if a compromise occurs.
This incident reflects a broader shift in attacker focus toward the software supply chain, where compromising trusted tools can provide access to multiple environments through a single entry point.
It also highlights the focus on credential-based attacks, where stolen tokens, keys, and secrets enable persistence and movement across systems, pipelines, and cloud environments.
These evolving risks are why organizations are using zero trust solutions to help manage trust and limit blast radius of supply chain incidents.
The post Checkmarx Supply Chain Attack Exploits Docker Images and CI/CD Pipelines appeared first on eSecurity Planet.
If you use the internet, you’ve likely been affected by cybercrime in some way. Even when an attack is aimed at a company, the fallout usually lands on ordinary people.
The most obvious harm is stolen data. When attackers break into a business, it is usually customer information that ends up in criminal hands, and that can lead to identity theft, tax fraud, credit card fraud, and a long tail of scam attempts that can continue for months or years. For consumers, the breach itself is often just the start of the cleanup.
That work is annoying, time-consuming, and sometimes expensive. People may have to freeze credit, replace cards, change passwords, be on the lookout for suspicious transactions, and dispute charges. The Federal Trade Commission (FTC) specifically advises consumers to use IdentityTheft.gov after a breach and recommends steps like credit freezes and fraud alerts to reduce the chance of further abuse.
When sensitive data is exposed, the harm is not only financial. Medical, insurance, and other deeply personal records can be used to create more convincing phishing or extortion attempts, and the stress of knowing that private information is circulating among criminals can linger long after the technical incident is over. In other words, breach victims are not just cleaning up a data problem, they are dealing with a loss of trust.
Cybercrime also hits consumers through service disruption. Ransomware and intrusion campaigns can interrupt payment systems, telecom services, shipping, energy distribution, booking platforms, and other infrastructure people rely on every day. In those cases, the consumer impact is immediate: you may not be able to pay, travel, call, buy, or even work normally. The CSIS timeline and Canada’s cyberthreat assessment both show that these disruptions are increasingly tied to high-value targets and can be part of broader state or criminal campaigns.
Not all these incidents are driven by cybercriminals. Recently, Britain’s cybersecurity chief warned that the UK is handling 4 nationally significant cyberincidents every week, with the majority now traced back to foreign governments rather than cybercriminal groups.
Another cost is easy to overlook: disinformation and confusion. When attackers steal data, disrupt services, or impersonate trusted brands, they can also flood the public with fake support messages, scam calls, refund schemes, and phishing emails pretending to be the breached company. The breach becomes a launchpad for more fraud, and consumers are left trying to separate legitimate notifications from those sent by attackers.
Then there is the security backlash. After a breach, companies usually tighten access rules, add more multi-factor authentication prompts, force reauthentication, shorten sessions, and increase fraud checks. Those measures are often necessary, but they also make ordinary digital life more cumbersome. The consumer ends up paying with time and frustration for security problems they did not create.
That is why company-targeted cybercrime is not really only a business problem. It is a consumer issue, a public-trust issue, and sometimes even a national security issue. A single breach can leak data, trigger fraud, interrupt essential services, amplify scams, and make using the internet more frustrating for everyone else. The real cost is rarely confined to the company that got hit.
Knowing this, it’s worth thinking carefully about which companies to trust with your data and how much you’re willing to share . You cannot stop every attack against every company you deal with, but you can limit the fallout by being more selective. Some considerations:
Your name, address, and phone number are probably already for sale.
Data brokers collect and sell your personal details to anyone willing to pay. Malwarebytes Personal Data Remover finds them and gets your information removed, then keeps watch so it stays that way.
AI risk is being mis-scoped as a guardrail problem. For managed and security service providers, this creates both a business opportunity and a responsibility to reframe what customers are actually buying
The company will use the investment to accelerate product development and grow go-to-market efforts.
The post Cloudsmith Raises $72 Million in Series C Funding appeared first on SecurityWeek.
The partnership aims to help MSSPs connect identity and endpoint signals faster, reduce analyst handoffs, and improve containment in AI-driven environments.
The UK’s National Cyber Security Centre (NCSC) is recommending passkeys as the default authentication method for businesses to offer consumers, citing industry progress that now makes them a more secure and user-friendly alternative to passwords.
In a blog post published this week, the agency said passkeys can now be recommended to both the public and businesses as a primary authentication method.
“Passkeys should now be consumers’ first choice of login,” the UK cybersecurity authority said in a blog post, adding that passwords are “no longer resilient enough for the contemporary world.”
“Passkeys are a newer method for logging into online accounts which do much of the heavy lifting for users, only requiring user approval rather than needing to input a password. This makes passkeys quicker and easier to use and harder for cyber attackers to compromise,” the NCSC added in the blog.
The agency said passkeys should be used wherever supported, describing them as resistant to phishing and eliminating risks associated with password reuse.
The guidance is based on the agency’s assessment of how authentication methods perform against real-world attacks.
The NCSC said its analysis examines common techniques, including phishing, credential reuse, and session hijacking, and evaluates how credentials are exposed across their lifecycle, from creation and storage to use.
“Passkeys are resistant to phishing attacks and remove the risks associated with password reuse,” the agency said.
In its accompanying technical paper, the NCSC said traditional authentication methods, including passwords combined with one-time codes, remain “inherently phishable.”
By contrast, FIDO2-based credentials such as passkeys are “as secure or more secure than traditional MFA against all common credential attacks observed in the wild,” the agency said.
However, NCSC cautioned in the technical paper that “while much of the analysis in this paper also applies to enterprise authentication scenarios (for example staff authenticating to a Single Sign On), the different threat model and usage scenarios mean this paper is not intended for enterprise risk assessment.”
The NCSC added that passkeys reduce risk by removing reliance on shared secrets and binding authentication to the legitimate service.
According to the agency, this prevents credential reuse and relay attacks, as authentication cannot be intercepted and reused by an attacker.
Passkeys use cryptographic key pairs stored on a user’s device, with authentication tied to device-based verification such as biometrics or PINs, the agency said.
For organizations that provide online services to customers, the guidance signals a shift in how authentication is implemented at the user interface level.
“This is a fundamental architectural change, not an incremental authentication upgrade,” said Madelein van der Hout, senior analyst at Forrester. “It moves organizations beyond the passwords-plus-MFA paradigm toward a phishing-resistant foundation.”
Van der Hout said passkeys eliminate risks associated with credential theft by using device-bound cryptographic authentication rather than shared secrets.
“Organizations that treat this as a credential swap will underinvest,” she said. “Those who treat it as a broader identity modernization opportunity will get ahead.”
The NCSC said organizations should also consider how authentication is implemented across the full user journey, including account recovery and fallback mechanisms.
While passkeys reduce reliance on passwords, the agency noted that weaker processes, such as password resets or account recovery flows, can still introduce risk if not properly secured.
The NCSC said passkeys are not yet universally supported and recommended password managers and multi-factor authentication where passkeys cannot be used.
“Where a particular service does not support passkeys, the NCSC’s advice to consumers is to use a password manager to create stronger passwords and keep using two-step verification,” NCSC noted in the blog post.
Van der Hout said implementation challenges are likely, particularly for organizations operating across multiple platforms and user environments.
“Legacy systems and fragmented identity environments present significant obstacles,” she said.
She added that organizations must also consider non-human identities. “Any passkey strategy that ignores the machine identity layer will create new security gaps,” she said.
Device requirements and account recovery processes may also affect how passkeys are deployed, she said.
A full transition away from passwords is unlikely in the near term, analysts believe.
“Expect a hybrid model lasting several years,” van der Hout said, as organizations continue to support both passkeys and traditional authentication methods.
During this period, organizations will need to manage authentication across multiple login options while ensuring that fallback methods do not weaken overall security, she added
The NCSC similarly advised maintaining strong authentication practices where passkeys are not yet available.
The guidance adds to broader efforts to move away from passwords in consumer authentication.
“The guidance matters because it gives security leaders leverage,” van der Hout said, including in discussions with vendors and internal stakeholders.
The NCSC said that moving toward phishing-resistant authentication could reduce a major cause of cyber compromise, particularly in services that rely on user login credentials.
360 Digital Security Group claims to have uncovered 1,000 vulnerabilities using AI, including at the Tianfu Cup hacking contest.
The post Chinese Cybersecurity Firm’s AI Hacking Claims Draw Comparisons to Claude Mythos appeared first on SecurityWeek.
Google unveiled a broad push toward agentic, AI-driven defense at Google Cloud Next ‘26 to help SOC analysts as they scramble to keep up with the influx of CVEs Mythos threatens.
As Mythos promises to uncover more software vulnerabilities, Google is betting that only agents, not analysts, can keep pace with what is coming.
Google unveiled new capabilities focused on automating detection, accelerating response, and securing the increasingly messy intersection of AI, cloud, and third-party ecosystems.
Under this, the search giant announced three new agents in Google Security Operations, expanded security across clouds and AI studios with expanded Wiz integration, and the Gemini Enterprise Agent Platform that promises a defense layer against shadow AI.
Additionally, Google said it is working on simplifying permissions with modern IAM, along with a handful of improvements in Google Cloud Security.
Google’s most direct help to SOC teams comes in the form of three new AI agents embedded in Google Security Operations. These include a threat hunting agent, a detection engineering agent, and a third-party context agent.
While the threat hunting and detection engineering agents, both now in preview, aim to identify novel attack patterns and close detection gaps, respectively, the third-party context agent, set to enter preview, is designed to enrich investigations with external intelligence.
Google claimed its existing triage and investigation agent has already processed over five million alerts, shrinking analysis time from 30 minutes to roughly a minute using Gemini.
There’s also a push toward what Google calls “agentic automation,” where response actions can be triggered automatically, paired with new dark web intelligence (infused into Google Threat Intelligence) capabilities to prioritize real threats with high accuracy.
Google has expanded its Wiz portfolio to tackle the chaos of AI development and multi-cloud risk.
Wiz is being positioned as the connective tissue across environments, supporting everything from AWS and Azure to SaaS platforms and AI agent studios.“Wiz now supports Databricks as well as new agent studios like AWS Agentcore, Gemini Enterprise Agent Platform, Microsoft Azure Copilot Studio, and Salesforce Agentforce, so customers gain visibility however their teams choose to build,” said Francis deSouza, COO, Google Cloud and President, Security Products.
Other new capabilities from the integration come in the form of inline scanning of AI-generated code, integrations directly into developer workflows, and an AI-bill of materials (AI-BOM) that inventories all AI components, including models, frameworks, and IDE plugins across an organization.
AI-BOM is targeted as a practical response to shadow AI, offering visibility into tools developers use versus what’s approved.
Google is also aiming to have visibility into the plane where AI agents interact autonomously across systems, something it calls the “agentic web.”
To address that, it introduced Agent Identity and Agent Gateway for governance and policy enforcement, alongside deeper integrations for Model Armor to mitigate risks like prompt injection and data leakage. There’s also a reworked approach to bot and fraud detection through Google Cloud Fraud Defense, which aims to distinguish between humans, bots, and AI agents across the workflows.
The company will hire new talent and expand operations across the US and other allied countries.
The post Rilian Raises $17.5 Million for AI-Native Security Orchestration appeared first on SecurityWeek.
Apple has released a software update that deals with an issue that could allow deleted notifications to be retrieved. Something that, in at least one reported case, was used by law enforcement during forensic analysis.
Apple fixed the issue in iOS and iPadOS versions 18.7.8 and 26.4.2 (check availability for your device at those links). The update deals with a singular security vulnerability, tracked as CVE-2026-28950.
Although the description is brief—“a logging issue was addressed with improved data redaction”—the impact points us in the right direction.
“Notifications marked for deletion could be unexpectedly retained on the device.”
This suggests that Apple’s bug was that iOS kept copies of notification content in an internal database for longer than intended, even after the messages “disappeared” or the app was uninstalled. In a case reported by 404 Media, law enforcement was able to recover those notifications using standard forensic tools once they had access to the unlocked device. The example in that reported case involved Signal.
A response on X by Signal states:
“The FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database.”
Before we go into the update process, you may want to know that you can mute or hide notifications in Signal, which also protects them from prying eyes. In Signal, open your Settings and tap on Notifications. You can adjust several settings there. For example, I have mine set so I only see the name of the sender.
For iOS and iPadOS users, you can check if you’re using the latest software version by going to Settings > General > Software Update. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.
Update settings on iPad
Scammers know more about you than you think.
Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in.
Microsoft plans to integrate Anthropic’s Mythos AI model into its Security Development Lifecycle, a move that suggests advanced generative AI is beginning to play a direct role in how major software vendors identify vulnerabilities and harden code against attack.
The company said it will use Mythos Preview, along with other advanced models, as part of a broader push to strengthen secure coding and vulnerability detection earlier in the software development process.
The announcement comes as Anthropic’s Mythos heightens concerns that advanced AI models could dramatically shrink the time between finding a software flaw and exploiting it. Analysts say Mythos marks a notable leap in AI-driven vulnerability research, with the ability to uncover thousands of serious flaws across major operating systems and browsers.
OpenAI has also entered the space with GPT-5.4-Cyber, a version of its flagship model tailored for defensive cybersecurity work. Keith Prabhu, founder and CEO of Confidis, said a future OpenAI model, which he referred to as “Spud,” could emerge as an even stronger rival.
The move matters beyond Microsoft’s own engineering organization. For enterprise security leaders, it offers a clear sign that frontier AI models are starting to move from experimental use into core cybersecurity workflows.
That could change how software vendors build products and how defenders view the risks and benefits of using the same AI tools attackers may also exploit.
“This marks a seminal turning point in the secure software development lifecycle process,” Prabhu said. “While earlier tools were only capable of static code scanning for vulnerabilities, with AI, there is a possibility of a dynamically learning model which can also perform dynamic vulnerability and even penetration testing in real time.”
Over time, Prabhu said, the pressure to adopt AI-assisted security tools is likely to spread beyond the largest software vendors.
Neil Shah, vice president for research at Counterpoint Research, said more than 95% of Fortune 500 companies use Microsoft Azure in some capacity, while Azure AI and the Copilot suite are entrenched across about 65% of those companies. Millions of businesses also rely on multiple Microsoft products and cloud services.
“Using Mythos in Microsoft’s Security Development Lifecycle could help strengthen and harden products like Windows, Azure, Microsoft 365, and developer tools,” Shah said. “Every enterprise running those products could benefit from the security improvement without needing direct Mythos access themselves.”
Prabhu noted that Microsoft said it had evaluated Mythos using its open-source benchmark for real-world detection engineering tasks, with results showing substantial improvements over prior models.
“Such a claim coming from Microsoft does suggest that these new AI models are becoming materially better at identifying exploitable flaws than earlier generations,” Prabhu added. “However, as with any AI tool, the strength of the tool lies in its ability to analyze code quickly based on past learning. There is a possibility that it could miss new types of vulnerabilities that only a ‘human-in-the-loop’ could identify.”
Roblox has long faced criticism over child safety on its platform. Now it has started settling with state attorneys over the issue, and the total is climbing fast.
On April 21, Alabama Attorney General Steve Marshall announced a $12.2 million settlement with the child-focused online gaming platform. The State of West Virginia also settled for $11 million the same day. Those came a week after Nevada Attorney General Aaron Ford got the company to hand over $12 million.
Their problem with Roblox is clear from the settlement documents: they believe it hasn’t been adequately protecting children from predators on its platform.
As part of Alabama’s settlement, Roblox must now run age checks on everyone via facial age estimation or a government ID starting May 1. That applies to both new and existing accounts. The company must now also monitor account behavior to catch users who lied about their age.
Adults and under-16s won’t be able to talk with each other at all unless they’re on a “trusted friend” list, added via QR code or a phone-contact import, and users that don’t undergo age verification can’t chat to anyone.
Communication involving any minor cannot be encrypted, so law enforcement can read it during investigations. West Virginia’s settlement also insists that Roblox alert minors the first time they enter a private chat, so children understand how to communicate safely.
Roblox already stopped people from chatting without age verification as of January this year, but under new measures it will start restricting access to games for those that don’t undergo the process. Starting in June, the platform will split into three tiers: Roblox Kids for ages 5–8 will forbid any chats at all, and will only allow access to games labeled ‘minimal’ or ‘mild’ on its maturity scale. Those who don’t complete age verification will also have these restrictions. The other two account levels are Roblox Select for 9–15 year-olds, and standard accounts for those 16 and up.
Three settlements in eight days totaling more than $35 million must hurt, but it’s just the beginning. Texas, Florida, Louisiana, Iowa, Nebraska, Kentucky, and Tennessee are all pursuing similar claims: that Roblox exposed children to risk and then misled parents about its safeguards.
In February, LA County sued Roblox, accusing the platform of choosing profit over safety and leaving kids exposed to grooming and explicit content.
Roblox is also separately dealing with nearly 80 federal lawsuits filed by families in California alone. And Australia’s eSafety Commissioner has also issued legally-enforceable transparency notices to Roblox and other tech companies. These force them to detail what they’re doing to protect children. Those notices are backed by fines of A$825,000 a day (that’s about US$590,783) for non-compliance.
The $12.2 million from Alabama’s settlement funds school resource officers through the state’s Safe School Initiative. Nevada’s is earmarked for the Boys & Girls Club and “nondigital activities,” plus a law-enforcement liaison and an online-safety awareness campaign. West Virginia will invest $500,000 in safety education workshops for parents and children, create a $1.5 million three-year public safety campaign, and spend $2.4 million on a dedicated internet safety specialist for six years.
There’s a predictable rhythm to how big tech companies face down state attorneys general. First comes pushback, then rhetoric about shared values, and then they start handing over cash.
It is a step forward that Roblox is agreeing to new safeguards, but questions remain.
In its own lawsuit against Roblox launched last month, Nebraska complained that the company’s existing age-check technology was inadequate. From the complaint:
“Rather than meaningfully protecting children, the system has repeatedly misclassified users’ ages, placing adults in child chat groups and minors in adult categories, while age-verified accounts for young children have already been traded on third-party marketplaces, undermining any purported safety benefits.”
What happens when the age-estimation AI guesses wrong on a 14-year-old who looks 17, or when a “trusted friend” QR code gets passed around a group chat somewhere it shouldn’t?
The company’s Persona age-check tool has also turned out to do more than check ages: researchers say they found an exposed frontend showing the system was also running facial recognition against watchlists.
Settlements address past concerns, but they don’t guarantee future safety. Parents must still do the work to ensure that they know what their kids are signing up for and who else they might be playing with.
For more information about the safety of Roblox and other services, check out our research: How Safe are Kids Using Social Media?
According to CNET. Read their review →
Gorodenkoff | shutterstock.com
Cloud Security bleibt ein diffiziles Thema und die Tools, mit denen sie sich gewährleisten lässt, werden zunehmend komplexer und schwieriger zu durchschauen – auch dank der ungebrochenen Liebe der Branche zu Akronymen. Mit CNAPP kommt nun ein weiteres hinzu.
Die Abkürzung steht für Cloud-Native Application Protection Platform – und kombiniert die Funktionen von vier separaten Cloud-Security-Werkzeugen:
Über diese vier „klassischen“ Elemente hat sich CNAPP inzwischen auch auf andere Bereiche ausgeweitet. Zum Beispiel:
Aus Anwendersicht ist CNAPP damit sowohl schwer zu verstehen als auch diffizil zu evaluieren – und entsprechend schwer einzukaufen, wie Forrester-Chefanalyst Andras Cser in einem Blogbeitrag zum Thema nahelegt. Weil teilweise auch Security-Optionen außerhalb der Cloud abgedeckt würden, sei jede CNAPP-Kaufentscheidung und -Implementierung auch eine Team- oder abteilungsübergreifende Aufgabe, so der Analyst.
Anders ausgedrückt: Geht‘s um CNAPP, muss eine ganze Menge Software abgestimmt, gemanagt, integriert und verstanden werden. Um Ihnen den Überblick zu erleichtern, haben wir die Details zu den wichtigsten Anbietern und Angeboten in diesem Kaufratgeber zusammengetragen.
Geprägt hat die Produktkategorie – beziehungsweise das Akronym – einmal mehr Gartner. Das Analystenhaus verwendete den Begriff CNAPP erstmals in seinem „Innovation Insight“-Report aus dem August 2021. Der Schlüssel zum Verständnis dieser Produktkategorie liegt in den Integrationsherausforderungen für Unternehmensanwender: Im „State of Observability Report“ von VMware geben 57 Prozent der Befragten an, dass innerhalb einer typischen Cloud-Anwendung bis zu 50 verschiedene Technologien zum Einsatz kommen – die im Schnitt mit zehn Monitoring-Tools gemanagt werden.
Und laut dem „Observability Report 2024“ (Download gegen Daten) von Dynatrace besteht eine typische Enterprise-Umgebung im Schnitt aus einem Dutzend unterschiedlichen Cloud-Plattformen, wobei regelmäßig ein Mix aus Private-, Public- und Hybrid-Cloud-Strategien zur Anwendung kommt. Hinzu kommen dann noch verschiedene Instanzen virtueller Maschinen, Kubernetes-Container sowie Serverless- und Microservices-Tools. Diese erhebliche Integrationsbelastung könnte auch ein Grund dafür sein, dass der CNAPP-Markt im zweiten Quartal 2024 ein Gesamtvolumen von 700 Millionen Dollar erreicht hat und damit im Jahresvergleich um 42 Prozent gewachsen ist – wie die Analysten der Dell’Oro Group berichten.
Im Idealfall sollte eine CNAPP-Lösung:
Die Anbieter verfolgen mit Blick auf CNAPP zwei unterschiedliche Ansätze: Entweder sie fokussieren die DevSecOps– oder die traditionelle IT-Security-Perspektive. Ersteres hat einen stärkeren Fokus auf den Schutz der Applikationen selbst zur Folge (CIEM/CWPP), letzteres eine Ausweitung traditioneller Schutzmaßnahmen auf Netzwerkebene (CASB/CSPM). Bislang deckt kein CNAPP-Offering wirklich konsequent alle vier Bereiche ab.
Natürlich spielt künstliche Intelligenz (KI) auch in diesem Bereich zunehmend eine Rolle: Diverse CNAPP-Anbieter integrieren, beziehungsweise kombinieren KI-Agenten und agentenlose Lösungen in ihren Produkten, um ein umfassenderes Monitoring und eine möglichst breite Abdeckung und Scalability zu bieten.
Fokus: DevSecOps
Form: Einheitliche Plattform mit verschiedenen Produkten;
Besondere Features/Integrationen: „(No-)Breach-Garantie“ bis zu einer Million Dollar;
Preisgefüge: kostenlose Trial-Version; ab 850 Dollar pro Monat;
CrowdStrike Falcon Cloud Security
Fokus: DevSecOps / IT-Security
Form: Einheitliche Plattform mit verschiedenen Produkten;
Besondere Features/Integrationen: Cloud Detection and Response (CDR), AppSec, Schwachstellenanalyse für Container-Images;
Preisgefüge: Abonnement-Preis richtet sich nach den gewählten Produkten;
Fokus: DevSecOps
Form: Separate Produkte für Cloud, Web und Supply Chain;
Besondere Features/Integrationen: Headliner Attack Policies, Artifact Scanning, zentrale Analyse-Engine, Kubernetes-Support;
Preisgefüge: komplex und teuer; unterschiedliche Tarife für jedes Produkt;
Fokus: IT-Security
Form: Einheitliche Plattform mit verschiedenen Produkten;
Besondere Features/Integrationen: Verhaltensbasierte Schutzregeln, SOAR, AppSec, Scans für Build- und Deployment-Pipelines;
Preisgefüge: kostenlose Probeversion; richtet sich nach der Nutzungsdauer sowie den in Anspruch genommenen vCPUs;
Fokus: IT-Security
Form: Einheitliche Plattform mit verschiedenen Produkten;
Besondere Features/Integrationen: Side Scanning, Risikopriorisierung, AppSec-Pipelines, KI-Features;
Preisgefüge: orientiert sich an Workloads, Storage Buckets und Datenbank-Scans sowie den eingesetzten Sensoren;
Palo Alto Networks Cortex Cloud
Fokus: IT-Security
Form: Einheitliche Plattform mit verschiedenen Produkten;
Besondere Features/Integrationen: CDR, AppSec-Integration, Laufzeitschutz und DSPM, Support für IBM und Akamai Clouds geplant;
Preisgefüge: komplex und teuer; richtet sich nach den gewählten Modulen und abgesicherten Workloads;
Fokus: IT-Security
Form: Einheitliche Plattform;
Besondere Features/Integrationen: CDR, Container und IaC-Security, SaaS Posture Management, KI-Funktionen;
Preisgefüge: kostenlose Probeversion; Abo-Modell auf Workload-Basis;
Fokus: DevSecOps
Form: Einzelprodukt;
Besondere Features/Integrationen: „Next Generation“ CDR, Risikopriorisierung, KI-Funktionen und-Analysen;
Preisgefüge: Festpreis pro Host Model; ab circa 500 Dollar pro Monat;
Fokus: IT-Security
Form: Standalone-Lösung oder als Bestandteil der Exposure-Management-Plattform Tenable One;
Besondere Features/Integrationen: Exposure Management, DSPM, KI Security, Kubernetes- und IaC-Support;
Preisgefüge: kostenlose Probeversion; komplexes Preismodell, das sich an Nodes oder Workloads ausrichten lässt;
Fokus: DevSecOps
Form: Einzelprodukt;
Besondere Features/Integrationen: fokussiert in erster Linie auf Container- und Kubernetes-Security;
Preisgefüge: kostenlose Open-Source-Version; kommerzielle Optionen mit Abo-Abrechnungsmodell oder pro Node-Stunde;
Fokus: IT-Security
Form: Einheitliche Plattform;
Besondere Features/Integrationen: XDR, AppSec, DSPM, KI- und ML-Funktionen;
Preisgefüge: diverse Optionen; ab circa 5.000 Dollar pro Jahr (200 Cloud Assets);
Fokus: IT-Security
Form: Einheitliche Plattform mit verschiedenen Produkten;
Besondere Features/Integrationen: Risikopriorisierung mit Graph-basierten Visualisierungen und Analysen von Code zu Cloud zu Runtime, KI-Funktionen, Container- und Kubernetes-Support;
Preisgefüge: verschiedene Preispläne, die sich nach den Workloads richten;
Bevor Sie sich für einen dieser CNAPP-Anbieter entscheiden, sollten Sie sich folgende Fragen stellen:
(fm)
Serial-to-Ethernet adapters used in industrial, retail, and healthcare environments to link serial devices to TCP/IP networks are riddled with vulnerabilities and outdated open-source components, researchers warn. The flaws enable various attacks scenarios, including taking full control of mission-critical equipment such as remote terminal units, programmable logic controllers, point-of-sale systems, and bedside patient monitors.
In a new study dubbed BRIDGE:BREAK, researchers from cybersecurity firm Forescout analyzed the firmware from five major vendors of serial-to-IP converters and found that each firmware image contained on average 80 open-source software components with almost 2,500 known vulnerabilities in them and 89 publicly available exploits.
In addition, the researchers identified 22 new vulnerabilities in three devices from Lantronix and Silex Technology America with impact ranging from remote code execution to authentication bypass, information disclosure, and denial-of-service.
Search engines such as Shodan show close to 20,000 internet-exposed serial-to-Ethernet converters, though the number of such devices deployed within networks is likely in the millions, as they are used across many industries. But even when they are not directly connected to the internet, attackers can still reach such devices after breaking into internal networks through a variety of other initial access vectors.
Because serial protocols often lack authentication or encryption “attackers may alter serial data received from a sensor as it moves into the IP network,” the researchers said. “For example, changing temperature, pressure, humidity, flow, patient heart rate readings to arbitrary values. Conversely, attackers may modify commands traveling from the IP network to the serial side before they reach an actuator. For example, changing the speed or direction of a servo motor.”
Serial-to-IP converters have been targeted in real-world attacks against critical infrastructure in the past. For example, in a 2015 cyberattack that disrupted power distribution at several power substations in Ukraine, attackers loaded corrupted firmware onto Moxa serial-to-IP converters via the firmware update function.
Then just a few months ago in December, wind and solar farms in Poland were targeted by Russian hackers in a cyberattack that involved resetting the configurations on Moxa NPort serial device servers. The devices were not directly exposed to the internet, but attackers gained access to them after compromising VPN concentrators.
Firmware in devices analyzed by Forescout was running old versions of the Linux kernel as well as other outdated libraries and userspace binaries. In addition, half of the Linux kernel branches observed reached end of life, complicating future updates.
As a result, analyzed firmware images had more than 2,000 known vulnerabilities on average, most located in the Linux kernel itself. The firmware image with the lowest number of flaws still had 210 vulnerabilities. Of course, not all flaws are equal, but on average 68% were low or medium severity, 29% were high severity, and 3% were critical severity.
Because of the old kernel versions used, the anti-exploit mitigations applied at the OS level for binaries were also highly inconsistent. Only 23% of firmware images used stack canaries, a feature that prevents stack smashing exploits; 44% used RELRO (Relocation Read-Only), which prevents attackers from redirecting execution by overriding the Global Offset Table; 67% used PIE (Position Independent Executable), a mechanism that makes Return Oriented Programming (ROP) attacks much harder; and 84% used NX (No-eXecute bit), a feature that marks certain memory stack and heap areas as non-executable to prevent straightforward buffer overflow exploits.
Aside from all the known vulnerabilities from open-source components, the Forescout researchers also performed manual security analysis and identified previously unknown flaws in the firmware of three specific devices from two vendors: Lantronix EDS3000PS Series, Lantronix EDS5000 Series, and Silex SD330-AC.
The web-based management interface of the Lantronix EDS5000 had five flaws in multiple pages and fields caused by missing input sanitization that could lead to remote code execution as root. The Lantronix EDS3000PS had one RCE, an authentication bypass issue and a device takeover flaw where the password change feature did not ask for the old password, potentially allowing attackers to change the password for the administrator account.
While the Lantronix flaws were all in the web interface, some of the 12 vulnerabilities found in the Silex SD-330AC were in various network services, exploitable via UDP packets. In total the researchers found three new RCE flaws, an authentication bypass, an arbitrary file upload issue that could allow unauthenticated attackers to upload firmware binaries, two device takeover and privilege escalation bugs, two configuration tampering flaws, and other issues that could lead to information disclosure and denial-of-service.
In addition, the researchers found that the firmware signing key may be obtainable by attackers, which could give them the ability to create malicious firmware images. Silex is in the process of remediating this issue.
“As these devices are increasingly deployed to connect legacy serial equipment to IP networks, vendors and end-users should treat their security implications as a core operational requirement,” the Forescout researchers said.
Both Lantronix and Silex already released firmware updates to address the reported flaws: SD-330AC Firmware version 1.50, EDS5000 series version 2.2.0.0R1, and EDS3000 series version 3.2.0.0R2.
In addition to patching, Forescout recommends:
The Claude Mythos Preview appears to be living up to the hype, at least from a cybersecurity standpoint. The model, which Anthropic rolled out to a small group of users, including Firefox developer Mozilla, earlier this month, has discovered 271 vulnerabilities in version 148 of the browser. All have been fixed in this week’s release of Firefox 150, Mozilla emphasized.
These findings set a new precedent in AI’s ability to unearth bugs, and could turbocharge cybersecurity efforts.
“Nothing Mythos found couldn’t have been found by a skilled human,” said David Shipley of Beauceron Security. “The AI is not finding a new class of AI-exclusive super bugs. It’s just finding a lot of stuff that was missed.”
However, the news comes as Anthropic is reportedly investigating unauthorized use of Mythos by a small group who reportedly gained access via a third party vendor environment, revealing the double-edged nature of AI.
Firefox has previously pointed AI tools, notably Anthropic’s Claude Opus 4.6, at its browser in a quest for vulnerabilities, but Opus discovered just 22 security-sensitive bugs in Firefox 148, while Mythos uncovered more than ten times that many.
Firefox CTO Bobby Holley described the sense of “vertigo” his team felt when they saw that number. “For a hardened target, just one such bug would have been red-alert in 2025,” he wrote in a blog post, “and so many at once makes you stop to wonder whether it’s even possible to keep up.”
Firefox uses a defense-in-depth strategy, with internal red teams applying multiple layers of “overlapping defenses” and automated analysis techniques, he explained. Teams run each website in a separate process sandbox.
However, no layer is impenetrable, Holley noted, and attackers combine bugs in the rendering code with bugs in the sandboxes in an attempt to gain privileged access. While his team has now adopted a more secure programming language, Rust, the developers can’t afford to stop and rewrite the decades’ worth of existing C++ code, “especially since Rust only mitigates certain, (very common) classes of vulnerabilities.”
While automated analysis techniques like fuzzing, which uncovers vulnerabilities or bugs in source code, are useful, some bits of code are more difficult to fuzz than others, “leading to uneven coverage,” Holley pointed out. Human teams can find bugs that AI can’t by reasoning through source code, but this is time-consuming, and is bottlenecked due to limited human resources.
Now, Claude Mythos Preview is closing this gap, detecting bugs that fuzzing doesn’t surface.
“Computers were completely incapable of doing this a few months ago, and now they excel at it,” Holley noted. Mythos Preview is “every bit as capable” as human researchers, he asserted, and there is no “category or complexity” of vulnerability that humans can find that Mythos can’t.
Gaps between human-discoverable and AI-discoverable bugs favor attackers, who can afford to concentrate months of human effort to find just one bug they can exploit, Holley noted. Closing this gap with AI can help defenders erode that long-term advantage.
The industry has largely been fighting security “to a draw,” he acknowledged, and security has been “offensively-dominant” due to the size of the attack surface, giving adversaries an “asymmetric advantage.” In the face of this, both Mozilla and security vendors have “long quietly acknowledged” that bringing exploits to zero was “unrealistic.”
But now with Mythos (and likely subsequent models), defenders have a chance to win, “decisively,” Holley asserted. “The defects are finite, and we are entering a world where we can finally find them all.”
Finding 271 flaws in a mature codebase like Firefox illustrates the fact that AI-driven vulnerability discovery is now operating at a scale and depth that can outpace traditional human-led review, noted Ensar Seker, CISO at cyber threat intelligence company SOCRadar.
Holley’s “vertigo,” he said, was because defenders are realizing the attack surface is larger, and “more rapidly discoverable than previously assumed.”
Security teams must respond by shifting from periodic testing to continuous validation, Seker advised. That means integrating AI-assisted code analysis into continuous integration/continuous delivery (CI/CD) pipelines, prioritizing “patch velocity over perfection,” and assuming that any externally reachable code path will eventually be discovered and weaponized.
“The goal is no longer just finding vulnerabilities first, but reducing the window between discovery and remediation,” he said.
Shipley agreed that any company building software must evaluate resourcing so it can quickly and proactively find and fix vulnerabilities. “But stuff will happen,” he acknowledged. So, in addition to doing proactive work, enterprises must regularly exercise their incident response playbooks.
“The next few years are going to be a marathon, not a sprint,” said Shipley.
However, the dual-use nature of these systems present a big challenge. The same capability that helps defenders identify hundreds of flaws can be turned against them if the model or its outputs are exposed, Seker pointed out.
The reported unauthorized access to Mythos “reinforces that AI systems themselves are now high-value targets, effectively becoming part of the attack surface,” he said.
It’s not at all surprising that people found a way to access Mythos, Shipley agreed; it was inevitable. “Nor does Anthropic have some unique, insurmountable or exclusive AI capability for hacking,” he said, pointing out that OpenAI is already catching up in that regard, and others will “catch and surpass” Mythos.
Striking a balance requires treating AI models like privileged infrastructure, Seker noted. Enterprises need strict access controls, output monitoring, and isolation of sensitive workflows. Developers, meanwhile, must adapt by writing code that is resilient to automated scrutiny; this requires stronger input validation, safer defaults, and “fewer assumptions about obscurity.”
“In this paradigm, security isn’t just about defending systems; it’s about defending the tools that are now capable of breaking them at scale,” Seker emphasized.
Anthropic is investigating reports that an unauthorized group gained access to its newly launched tool, Mythos, highlighting potential gaps in how early-access AI systems are distributed and secured.
“Unauthorized users were able to access Anthropic’s Mythos model, reportedly by just changing a model name,” said Shane Fry, CTO at RunSafe Security in an email to eSecurityPlanet.
He added, “Even if their intent is just to explore, it shows how easily these systems can be exposed.”
Mythos is part of Anthropic’s Project Glasswing initiative, which provides limited, controlled access to advanced AI security tools for a small group of partners, including major technology vendors.
These tools are designed to help organizations detect and respond to threats, but Anthropic noted they could be adapted for offensive use if misused.
According to Bloomberg, the reported unauthorized access occurred through a third-party vendor environment rather than a direct compromise of Anthropic’s infrastructure.
For enterprises adopting AI security tools, the incident highlights the need to tightly manage third-party access and maintain visibility.
Early-access programs can introduce additional exposure if controls, monitoring, and isolation are not consistently enforced.
The group involved is described as a private online community focused on identifying and testing unreleased AI models.
Instead of exploiting a traditional software vulnerability, members reportedly leveraged access associated with an individual working for a third-party contractor and combined it with educated assumptions about where the model was hosted.
By analyzing patterns from previous Anthropic deployments, the group was able to locate and interact with the Mythos system.
Bloomberg reported that the group provided screenshots and live demonstrations as evidence and began using the tool on the same day it was publicly announced.
While members said their intent was exploratory, the incident shows how quickly access controls can be bypassed when deployment patterns are predictable or vendor environments lack strong security.
Organizations using AI tools — especially in preview or limited-release programs — should take a proactive approach to reducing exposure and strengthening access controls.
Together, these measures help organizations limit blast radius and build resilience against unauthorized access and misuse of AI systems.
This incident highlights an ongoing challenge in AI security: safeguarding not only the models themselves, but also the environments in which they are deployed.
As advanced AI tools are shared through partnerships and early-access programs, third-party systems become an important part of the overall risk profile.
These environments require the same level of access control, monitoring, and security oversight as core infrastructure.
This type of risk reinforces the value of zero trust solutions that restrict and continuously verify access across environments.
The post Anthropic Probes Alleged Unauthorized Access to AI Security Tool Mythos appeared first on eSecurity Planet.
The shift from reactive to preemptive security does not eliminate the need for detection. It still has a role, but it cannot serve as the foundation of a security strategy.
This guide is for everyday users, remote workers, and privacy-conscious professionals who want to stay secure online without paying upfront, and it highlights the best free VPNs in 2026 you can trust along with premium trials worth testing before committing.
Free Wi-Fi at the airport. A coffee shop hotspot. Even your home network. Every time you go online, your data can be tracked, sold, or stolen.
A VPN protects your privacy. It encrypts your connection so that bad hackers, advertisers, and even your internet provider can’t see what you’re doing. But the best ones usually come with a price tag. And many so-called “free” VPNs end up costing you in other ways — through ads or by collecting and selling your data.
The good news? A handful of free VPNs are actually worth using.
In this guide, I share the five best truly free VPNs you can trust, including one from a major security brand. I’ll also highlight the top free trials from premium VPNs, so you can test their full power before paying a cent.
eSecurity Planet may receive a commission from merchants for referrals from this website
Best for: Light, occasional use from a trusted provider
Visit McAfeeMcAfee Safe Connect is the free VPN option from one of the trusted names in cybersecurity. The free tier includes 500 MB of data per month, which is enough for checking email or logging into an account on public Wi-Fi, but far too limited for streaming or heavy browsing. It integrates with McAfee’s larger security suite, making it convenient if you already use other McAfee products.
Pros
Cons
Pro tip: Save your limited data for unsecured hotspots. Disable the VPN at home and only switch it on when you’re traveling or using public Wi-Fi.
Final verdict: McAfee Safe Connect Free provides a quick and trustworthy way to protect your data on public Wi-Fi, but its 500 MB limit makes it impractical for regular use.
Best for: Fast streaming and browsing
Visit PrivadoVPNPrivadoVPN Free stands out as one of the most generous no-cost VPNs. With 10 GB of data per month, solid speeds, and even limited streaming access, it’s a rare free service that feels close to premium. It also includes a kill switch, a feature often reserved for paid plans.
Pros
Cons
Pro tip: Use your 10 GB for bandwidth-heavy tasks like streaming or file downloads, then switch to basic browsing without a VPN once your limit resets.
Final verdict: PrivadoVPN Free is one of the strongest free VPNs available, offering reliable performance and useful features that many rivals keep behind paywalls.
Best for: Unlimited private browsing
Visit Proton VPNProton VPN Free is unique in the VPN market: it offers unlimited data at no cost. Backed by Proton’s strong security reputation and no-logs policy, it’s ideal for users who value privacy and don’t want to worry about caps. However, free users are limited to a few server locations and will not receive consistent streaming access.
Pros
Cons
Pro tip: Proton VPN’s unlimited data makes it perfect for everyday use—just don’t rely on it for unblocking streaming services.
Final verdict: If your priority is privacy and unlimited use, Proton VPN Free is the best no-cost option. However, the ability to stream and its speed aren’t ideal.
Best for: Customization and extras
Visit WindscribeWindscribe Free is a flexible VPN service offering 10 GB of data per month and a comprehensive set of features. Beyond standard VPN protection, it also includes extras such as ad-blocking and customizable security rules. While the free plan caps your data, it’s one of the most versatile options for users who want control over their VPN settings.
Pros
Cons
Pro tip: Take advantage of Windscribe’s ad-blocker and firewall tools. These extras help protect your privacy even when your monthly data runs out.
Final verdict: Windscribe Free offers more customization and extras than most free VPNs, making it an excellent choice for privacy-conscious users who like control.
Best for: Strong privacy protection
Visit hide.meA strong encryption option, hide.me Free provides 10 GB of data per month and an audited no-logs policy. It supports multiple platforms and includes features such as a kill switch, making it a dependable choice for security-conscious users. While its speeds can vary, it’s one of the more trustworthy options in the free VPN space.
Pros
Cons
Pro tip: Use hide.me when you need maximum security — such as handling sensitive accounts — then switch back to normal browsing once the task is complete.
Final verdict: hide.me Free is a reliable, privacy-focused VPN that delivers strong protection, though it’s less suited for streaming or high-speed use.
To make this list, I applied a weighted scoring system to evaluate each VPN across the most important factors for security and usability:
Free VPNs all come with trade-offs, so the right choice depends on how you plan to use it.
For quick hotspot protection, McAfee Safe Connect Free is a safe, brand-backed option. Need unlimited browsing? Proton VPN Free stands out. For speed and extra features, PrivadoVPN Free, Windscribe Free, and hide.me Free each bring something different to the table.
No single service is perfect, but each covers a distinct need.
Looking for VPN protection beyond personal use? Check out our guide to the Best VPNs for Small Business for reliable, affordable options to keep your team secure.
The post 5 Best Free VPNs You Can Trust in 2026 (And the Premium Trials Worth Trying) appeared first on eSecurity Planet.
More than 1,300 internet-exposed Microsoft SharePoint servers remain unpatched against a spoofing flaw previously exploited as a zero-day.
“Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network,” said Microsoft in its advisory.
The vulnerability, tracked as CVE-2026-32201, affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.
These platforms are widely used for enterprise document management and collaboration.
Because these systems host sensitive data and support daily operations, exploitation could lead to unauthorized access, data changes, and broader business impact.
Despite Microsoft releasing patches during April 2026 Patch Tuesday, exposure remains high, with more than 1,300 internet-facing SharePoint systems still unpatched, according to Shadowserver.
The flaw stems from an improper input validation weakness that enables network spoofing, allowing attackers to manipulate how SharePoint processes inputs to impersonate trusted sources or alter data flows.
Because it requires low attack complexity and no user interaction, it is easier to exploit at scale, especially in internet-exposed or poorly secured environments.
Microsoft has confirmed that CVE-2026-32201 was exploited in the wild as a zero-day prior to patch availability.
However, it has not disclosed specific details about the attack methods or attributed the activity to a specific threat actor.
Because the flaw has been exploited and impacts externally exposed systems, organizations should take a broader approach beyond patching.
Security teams should also focus on reducing exposure, strengthening access controls, and improving visibility into potential misuse.
These steps can help organizations limit current exposure and build stronger resilience against similar threats.
This incident reflects a broader trend of attackers focusing on widely used enterprise platforms, particularly those that are slower to receive timely updates.
Collaboration tools like SharePoint remain common targets because they store sensitive business data and are often exposed to external networks.
At the same time, advances in AI and automation are helping attackers identify and exploit vulnerabilities more quickly, shortening the window between patch release and active exploitation.
As a result, organizations should layer security and use zero trust solutions to help limit the blast radius of incidents.
The post Over 1,300 SharePoint Servers Still Exposed to Actively Exploited Spoofing Flaw appeared first on eSecurity Planet.
Mapping the relationships of clients, devices, and inboxes is foundational to what MSSPs and MSPs do. Cork is automating it.
Microsoft has released an out-of-band update to fix an ASP.NET Core vulnerability that could allow attackers to take full control of affected systems.
The flaw enables unauthenticated privilege escalation, increasing risk for enterprises running .NET workloads.
“Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network,” said Microsoft in its advisory.
The vulnerability, CVE-2026-40372, impacts ASP.NET Core applications that rely on the Data Protection API, a foundational component responsible for securing authentication cookies, antiforgery tokens, and other sensitive application data.
Because this mechanism is central to establishing trust between users and web applications, any weakness in its validation logic can have widespread consequences.
If exploited, attackers could impersonate legitimate users, escalate privileges to SYSTEM level, and gain unauthorized access to sensitive resources across affected environments.
Microsoft confirmed the issue affects Microsoft.AspNetCore.DataProtection versions 10.0.0 through 10.0.6, meaning organizations may have unknowingly introduced the vulnerability during this month’s Patch Tuesday updates.
The flaw stems from a regression in the cryptographic validation process.
The managed authenticated encryptor incorrectly computes its HMAC validation tag over the wrong portion of the payload and, in some cases, fails to validate it altogether.
This breaks the integrity guarantees that the Data Protection system is designed to enforce, effectively allowing tampered or forged data to be treated as legitimate by the application.
As a result, attackers can craft malicious payloads that bypass authenticity checks and are accepted as valid.
This enables a range of attack scenarios, including forging authentication cookies, manipulating antiforgery tokens, and decrypting previously protected data.
Attackers could also trick applications into issuing valid signed tokens — such as session tokens, API keys, or password reset links — that may remain usable after patching unless keys are rotated and tokens invalidated.
Microsoft has released an out-of-band patch to address the issue and, at the time of publication, has not reported evidence of active exploitation in the wild.
Because the flaw affects authentication and token validation processes, organizations should take a comprehensive approach to remediation.
Beyond applying updates, teams should invalidate potentially affected tokens, strengthen authentication controls, and monitor for unusual activity.
Collectively, these measures help organizations reduce exposure to potential exploitation while strengthening overall resilience against future authentication and privilege escalation threats.
This vulnerability underscores how small changes in cryptographic implementations can introduce meaningful security gaps, particularly when they affect core validation logic.
As organizations continue to rely on frameworks like ASP.NET Core for authentication and data protection, issues in these underlying components can impact multiple applications and services at once, increasing the overall risk surface.
This type of risk reinforces the value of zero trust approaches, where continuous verification and strict access controls help limit the impact of weaknesses in underlying systems.
The post CVE-2026-40372: Microsoft Patches ASP.NET Core Privilege Escalation Vulnerability appeared first on eSecurity Planet.
During our threat hunting, we found a campaign using the same malware loader from our previous research to deliver a different threat: Needle Stealer, data-stealing malware designed to quietly harvest sensitive information from infected devices, including browser data, login sessions, and cryptocurrency wallets.
In this case, attackers used a website promoting a tool called TradingClaw (tradingclaw[.]pro), which claims to be an AI-powered assistant for TradingView.
TradingView is a legitimate platform used by traders to analyze financial markets, but this fake TradingClaw site is not part of TradingView, nor is it related to the legitimate startup tradingclaw.chat. Instead, it’s being used here as a lure to trick people into downloading malware.
Needle is a modular infostealer written in Golang. In simple terms, that means it’s built in pieces, so attackers can turn features on or off depending on what they want to steal.
According to its control panel, Needle includes:
The panel also shows a “coming soon” feature to generate fake Google or Cloudflare-style pages, suggesting the attackers plan to expand into more advanced phishing techniques.
Needle Stealer panel
In this campaign, the malware is distributed through a fake website advertising TradingClaw as an AI trading tool.
Malicious TradingClaw website
The site itself behaves selectively. In some cases, visitors are shown the fake TradingClaw page, while in others they are redirected to a different site (studypages[.]com). This kind of filtering is commonly used by attackers to avoid detection and only show the malicious content to intended targets. Search engines, for example, see the Studypages version:
Google results shows the Studypages fake page
If a user proceeds, they are prompted to download a ZIP file. This file contains the first stage of the infection chain.
Like in the previous campaign, the attack relies on a technique called DLL hijacking. In simple terms, this means the malware disguises itself as a legitimate file that a trusted program will load automatically. When the program runs, it unknowingly executes the malicious code instead.
In this case, the DLL loader (named iviewers.dll) is executed first. It then loads a second-stage DLL, which ultimately injects the Needle Stealer into a legitimate Windows process (RegAsm.exe) using a technique known as process hollowing.
Needle Stealer injected in RegAsm.exe process
The stealer is developed in Golang, and most of the functions are implemented in the “ext” package.
Part of the “exe” package
Once installed, the Needle core module can:
One of the more concerning features is its ability to install malicious browser extensions.
The stealer also supports the distribution of malicious browser extensions, giving attackers a powerful way to take control of the victim’s browser.
We identified multiple variations of these extensions, each with slightly different file structures and components. Behind the scenes, the malware uses built-in Golang features to unpack a hidden ZIP archive (often named base.zip or meta.zip) that contains the extension files, along with a configuration file (cfg.json).
Partial cfg.json config file:
{
"extension_host": {},
"api_key": "…
"server_url": "https://C2/api/v2",
"self_destruct": true,
"base_extension": true,
"ext_manifest": {
"account_extension_type": 0,
"active_permissions": {
"api": [
"history",
"notifications",
"storage",
"tabs",
"webNavigation",
"declarativeNetRequest",
"scripting",
"declarativeNetRequestWithHostAccess",
"sidePanel"
],
"explicit_host": [
"<all_urls>"
],
"manifest_permissions": [],
"scriptable_host": [
"<all_urls>"
]
},
"commands": {
"_execute_action": {
"was_assigned": true
}
},
…This configuration file is key. It tells the malware where to send stolen data (the command-and-control server), which malicious extension to install, and which features to enable.
The stealer extension is dropped in a random folder in the path %LOCALAPPDATA%\Packages\Extensions. The folder contains three main files popup.js, content.js, and background.js.
The malicious extension dropped
The extensions analyzed have Google-related names.
The fake malicious extension on Edge Browser
The extension gives attackers near full control over the browser, with capabilities that go far beyond typical malware.
It can:
/upload).The stealer and its extension communicate with command-and-control (C2) servers using several API endpoints. These are essentially different “channels” used for specific tasks:
/backup-domains/active—retrieves backup servers to stay connected if the main one is blocked/upload—sends stolen data back to the attackers/extension—receives instructions for redirects, downloads, and notifications/scripts—downloads malicious code to inject into web pagesScammers are increasingly using AI-themed tools to make fake websites look legitimate. In this case, a supposed “AI trading assistant” was used to trick people into installing malware.
To reduce your risk:
If you think you may have downloaded this infostealer:
%LOCALAPPDATA%\Packages\Extensions and suspicious browser extensions.HASH
95dcac62fc15e99d112d812f7687292e34de0e8e0a39e4f12082f726fa1b50ed
0d10a6472facabf7d7a8cfd2492fc990b890754c3d90888ef9fe5b2d2cca41c0
Domains
Tradingclaw[.]pro: fake website
Chrocustumapp[.]com: related to malicious extension
Chrocustomreversal[.]com: related to malicious extension
google-services[.]cc: related to malicious extension
Coretest[.]digital: C2 panel
Reisen[.]work: C2 panel
IPs
178[.]16[.]55[.]234: C2 panel
185[.]11[.]61[.]149: C2 panel
37[.]221[.]66[.]27: C2 panel
2[.]56[.]179[.]16: C2 panel
178[.]16[.]54[.]109: C2 panel
37[.]221[.]66[.]27: C2 panel
209[.]17[.]118[.]17: C2 panel
162[.]216[.]5[.]130: C2 panel
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Security researcher Alexander Hanff wrote an article titled Anthropic secretly installs spyware when you install Claude Desktop.
Claims like that are bound to create two sides, so we searched for an official rebuttal by Anthropic. But we couldn’t find one. It would surprise me very much if they’d be unaware of the claim, since there’s been some noise about it.
Users on Mastodon, Reddit, and LinkedIn are confirming the researcher’s findings and discussing the subject, so it’s hard to imagine Anthropic missed it.
Let’s look at the claims first.
While looking into another matter, the researcher discovered a Native Messaging host manifest on his Mac that he did not knowingly install. On Chrome and other Chromium-based browsers, extensions can exchange messages with native applications if they register a native messaging host that can communicate with the extension.
By testing on a clean machine, Hanff discovered that Installing Claude Desktop for macOS drops a Native Messaging host manifest into multiple Chromium profiles (Chrome, Edge, Brave, Arc, Vivaldi, Opera, Chromium), even including for browsers that are not actually installed yet.
The Native Messaging host manifest tells a Chromium‑based browser which local executable to invoke when an extension calls a native host, and those hosts run outside the browser sandbox with current users permissions. Hanff therefore describes this as a “backdoor.” The manifest pre‑authorizes three Chrome extension IDs, so any extension with those IDs can call the helper via connectNative, giving it access to browser automation features.
Another objection is that Claude makes simple deletion futile since the manifest will be recreated the next time the user launches Claude Desktop.
It’s important here to point out that his article is about Claude Desktop, the Electron-based macOS application with bundle identifier com.anthropic.claudefordesktop, distributed as Claude.app. It is not about Claude Code, Anthropic’s command line developer tool. Claude Code is autonomous (“agentic”), allowing you to hand over a task, and it handles the planning and execution until done. So, for Claude Code, it would absolutely make sense to enable communication with browsers, provided they are present on the target system.
So, we have an application that writes into other apps’ profile/support directories (the browsers’ configuration area) and can act as the user, with capabilities like using the logged‑in browser session, DOM inspection, data extraction, form filling, and session recording. This expands the attack surface of every machine this manifest is dropped on, without asking for consent.
Anthropic’s own launch blog on “Claude for Chrome,” which discusses Anthropic’s internal red‑team experiments, explicitly mentions prompt injection as a key risk and reports attack success rates of 23.6% (no mitigations) and 11.2% (with mitigations). Hanff cites this to argue that a pre‑positioned bridge is a non‑trivial risk.
Native Messaging is a standard Chromium mechanism. Nothing here is an unknown or exotic technique per se. Chrome’s own documentation explains that Native Messaging hosts run at user privilege and are invoked by browser extensions through a manifest file. And as the researcher pointed out, the bridge does nothing. But it could potentially be abused.
I don’t think it’s fair to say that Claude Desktop installs spyware, but it does open a system up by expanding the attack surface.
Anthropic already had a separate, documented Native Messaging manifest for Claude Code that users sometimes manually copied into other Chromium browsers; the new behavior is that Claude Desktop now drops a Claude‑Desktop‑related manifest into multiple browser paths automatically.
It requires a combination of extension and host. Only combined with a matching browser extension, this bridge enables the user-like capabilities we listed earlier.
Anthropic hasn’t published a detailed technical privacy spec for the Claude Desktop–browser bridge, so we don’t know exactly what data flows when the Chrome integration is used, beyond the general capabilities described in their documentation (session access, DOM reading, etc.).
The detailed analysis and most replication so far are on macOS. We’re in the dark about behavior on Windows and Linux, and the same is true across different browser install paths. That behavior has also not been comprehensively documented in public write‑ups.
I did reach out to Anthropic asking for a response. If and when we get an official response from Anthropic, I’ll add it here, so stay tuned.
Anthropic likely wanted “Claude in Chrome”‑style capabilities across Chromium‑based browsers, but that doesn’t excuse doing it silently and preinstalling the manifest into profile directories for multiple browsers, including ones that are not yet installed.
There are better ways to implement changes like these, and users should at least be made aware of them so they can weigh the advantages against the potential risks.
Stop threats before they can do any harm.
Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →
A $293 million cryptocurrency theft has rocked the decentralized finance (DeFi) ecosystem, with KelpDAO at the center of an attack now suspected to be linked to North Korea’s Lazarus Group.
The attack highlights how quickly sophisticated attackers can exploit weaknesses in cross-chain infrastructure.
“Preliminary indicators suggest attribution to a highly sophisticated state actor, likely DPRK’s Lazarus Group, more specifically TraderTraitor,” stated LayerZero in their X post.
KelpDAO, a liquid restaking protocol built on Ethereum, allows users to deposit ETH and receive rsETH — a derivative token that continues earning yield while remaining usable across decentralized applications.
Through interoperability layers like LayerZero, rsETH can move across chains, increasing flexibility but also expanding risk.
That risk materialized in a major way during this incident, where approximately 116,500 rsETH — valued at roughly $293 million — was stolen and later funneled through Tornado Cash to obscure transaction trails.
The impact quickly extended beyond KelpDAO itself.
Because rsETH is widely integrated across the DeFi ecosystem, major lending protocols including Aave, Compound, and Euler were affected.
In response, Aave moved to freeze activity involving rsETH as collateral, aiming to limit further exposure and prevent cascading losses.
This highlights a key challenge in DeFi: deep composability means a single failure point can ripple across multiple platforms in real time.
At the center of the breach was KelpDAO’s cross-chain verification process, specifically the Decentralized Verifier Network (DVN) responsible for validating cross-chain messages.
Rather than exploiting a flaw in smart contract code, attackers targeted the infrastructure supporting these operations.
By compromising select Remote Procedure Call (RPC) nodes, they were able to inject falsified blockchain data into the verification layer.
To amplify the attack, the threat actors simultaneously launched distributed denial-of-service (DDoS) attacks against legitimate RPC nodes.
This degraded the availability of trusted data sources and forced the system to rely on the compromised nodes.
Essentially, the attackers poisoned the validation process, enabling fraudulent cross-chain messages to be accepted as legitimate. This allowed them to authorize transfers of rsETH that never actually occurred on-chain.
The success of the exploit underscores a critical weakness in cross-chain architectures: their reliance on external data inputs and trust assumptions.
Validators and oracles play a central role in confirming cross-chain activity, but if those inputs are manipulated or disrupted, the entire system can be deceived.
In this case, attackers gained enough control over the data pipeline to bypass safeguards and execute unauthorized transactions.
As cross-chain ecosystems grow, they introduce additional complexity and potential security risks.
The following strategies highlight steps security teams can take to help manage risk across cross-chain operations.
Collectively, these measures help organizations build more resilient systems while containing potential incidents to minimize blast radius.
This incident reflects a shift in attackers targeting emerging financial infrastructure like DeFi, rather than traditional institutions.
DeFi environments combine high liquidity with rapidly evolving architectures, which can introduce security gaps if not carefully managed.
Cross-chain interoperability adds another layer of complexity, increasing dependencies and trust assumptions that expand the overall attack surface.
These evolving risks highlight the need for zero trust solutions that assume compromise and enforce strict verification across complex environments.
The post $293M KelpDAO Crypto Heist Exposes Cross-Chain Weaknesses in DeFi appeared first on eSecurity Planet.
A widespread browser extension campaign is quietly compromising users by disguising data-stealing tools as TikTok video downloaders.
“While many people see browser extensions as harmless little widgets, oftentimes they have no idea who is actually behind these extensions, and what capabilities they contain within their source code,” said Natalie Zargarov, security researcher at LayerX in an email to eSecurityPlanet.
She added, “This is why users and enterprises need to be vigilant about the extensions they install, to make sure their sensitive data is not stolen.”
This campaign underscores a growing blind spot in enterprise security: browser extensions that appear legitimate at install time but evolve into active threats long after they’ve gained user trust.
According to LayerX researchers, more than 130,000 users have already been impacted, with thousands of installations still active.
Because these extensions come from trusted marketplaces like Chrome and Edge — and are sometimes even listed as “Featured” — they often bypass user skepticism and basic security controls.
According to LayerX’s research, at least 12 interrelated extensions were involved in the campaign.
While they appeared to be separate tools, they all shared a common codebase and were marketed as TikTok video downloaders.
On the surface, they delivered exactly what users expected — downloading videos, often without watermarks — which helped them build credibility and maintain a low profile.
This legitimate functionality played a key role in evading early detection and gaining widespread adoption.
Behind the scenes, however, these extensions operated very differently. They incorporated covert tracking mechanisms and leveraged attacker-controlled remote configuration servers.
This capability allowed the threat actors to dynamically modify the extensions’ behavior after installation — enabling new features, expanding data collection, or redirecting traffic — without requiring updates through official extension stores.
By doing so, they effectively bypassed marketplace review processes and kept malicious activity hidden from both users and platform operators.
At its core, this is a systemic weakness in how browser extensions are trusted and managed.
Extensions often request broad permissions and run within the browser, exposing sensitive data, session tokens, and user activity — access that’s often difficult to monitor or limit once granted.
The campaign’s use of delayed capability injection further complicates detection.
Many of the extensions behaved normally for six to twelve months, allowing them to build a reputation and accumulate users before introducing more invasive functionality.
This delayed activation model makes it difficult for both marketplace reviewers and security tools to identify malicious intent during initial analysis.
In addition to behavioral manipulation, the extensions collected high-entropy fingerprinting data, including device characteristics, usage patterns, language settings, and even battery status.
When combined, this data enables persistent tracking of users across sessions and potentially across multiple services.
Browser extensions can pose security risks if not properly managed, as they often have access to user activity and sensitive data.
Managing these risks requires a focused approach to limiting permissions, monitoring behavior, and reducing unnecessary data exposure.
Together, these practices help organizations build resilience while reducing unnecessary exposure to extension-related risks.
The StealTok campaign highlights a shift in how attackers maintain access, moving beyond one-time malware to more persistent methods that leverage trusted platforms.
Browser extensions are especially attractive in this context because they operate within the user’s session and can bypass some traditional security checks.
While marketplace reviews tend to focus on initial approval, this case shows how risk can develop over time through updates and changes in behavior after installation.
These challenges reinforce the need for using zero trust, which helps continuously verify access and ensures no inherent trust.
The post 130K Users Compromised by StealTok Campaign That Uses Fake TikTok Downloaders appeared first on eSecurity Planet.
A 24-year-old British national and senior member of the cybercrime group “Scattered Spider” has pleaded guilty to wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan admitted his role in a series of text-message phishing attacks in the summer of 2022 that allowed the group to hack into at least a dozen major technology companies and steal tens of millions of dollars worth of cryptocurrency from investors.
Buchanan’s hacker handle “Tylerb” once graced a leaderboard in the English-language criminal hacking scene that tracked the most accomplished cyber thieves. Now in U.S. custody and awaiting sentencing, the Dundee, Scotland native is facing the possibility of more than 20 years in prison.
Two photos published in a Daily Mail story dated May 3, 2025 show Buchanan as a child (left) and as an adult being detained by airport authorities in Spain. “M&S” in this screenshot refers to Marks & Spencer, a major U.K. retail chain that suffered a ransomware attack last year at the hands of Scattered Spider.
Scattered Spider is the name given to a prolific English-speaking cybercrime group known for using social engineering tactics to break into companies and steal data for ransom, often impersonating employees or contractors to deceive IT help desks into granting access.
As part of his guilty plea, Buchanan admitted conspiring with other Scattered Spider members to launch tens of thousands of SMS-based phishing attacks in 2022 that led to intrusions at a number of technology companies, including Twilio, LastPass, DoorDash, and Mailchimp.
The group then used data stolen in those breaches to carry out SIM-swapping attacks that siphoned funds from individual cryptocurrency investors. In an unauthorized SIM-swap, crooks transfer the target’s phone number to a device they control and intercept any text messages or phone calls to the victim’s device — such as one-time passcodes for authentication and password reset links sent via SMS. The U.S. Justice Department said Buchanan admitted to stealing at least $8 million in virtual currency from individual victims throughout the United States.
FBI investigators tied Buchanan to the 2022 SMS phishing attacks after discovering the same username and email address was used to register numerous phishing domains seen in the campaign. The domain registrar NameCheap found that less than a month before the phishing spree, the account that registered those domains logged in from an Internet address in the U.K. FBI investigators said the Scottish police told them the address was leased to Buchanan throughout 2022.
As first reported by KrebsOnSecurity, Buchanan fled the United Kingdom in February 2023, after a rival cybercrime gang hired thugs to invade his home, assault his mother, and threaten to burn him with a blowtorch unless he gave up the keys to his cryptocurrency wallet. That same year, U.K. investigators found a device at Buchanan’s Scotland residence that included data stolen from SMS phishing victims and seed phrases from cryptocurrency theft victims.
Buchanan was arrested by Spanish authorities in June 2024 while trying to board a flight to Italy. He was extradited to the United States and has remained in U.S. federal custody since April 2025.
Buchanan is the second known Scattered Spider member to plead guilty. Noah Michael Urban, 21, of Palm Coast, Fla., was sentenced to 10 years in federal prison last year and ordered to pay $13 million in restitution. Three other alleged co-conspirators — Ahmed Hossam Eldin Elbadawy, 24, a.k.a. “AD,” of College Station, Texas; Evans Onyeaka Osiebo, 21, of Dallas, Texas; and Joel Martin Evans, 26, a.k.a. “joeleoli,” of Jacksonville, North Carolina – still face criminal charges.
Two other alleged Scattered Spider members will soon be tried in the United Kingdom. Owen Flowers, 18, and Thalha Jubair, 20, are facing charges related to the hacking and extortion of several large U.K. retailers, the London transit system, and healthcare providers in the United States. Both have pleaded not guilty, and their trial is slated to begin in June.
Investigators say the Scattered Spider suspects are part of a sprawling cybercriminal community online known as “The Com,” wherein hackers from different cliques boast publicly on Telegram and Discord about high-profile cyber thefts that almost invariably begin with social engineering — tricking people over the phone, email or SMS into giving away credentials that allow remote access to corporate internal networks.
One of the more popular SIM-swapping channels on Telegram has long maintained a leaderboard of the most rapacious SIM-swappers, indexed by their supposed conquests in stealing cryptocurrency. That leaderboard previously listed Buchanan’s hacker alias Tylerb at #65 (out of 100 hackers), with Urban’s moniker “Sosa” coming in at #24.
Buchanan’s sentencing hearing is scheduled for August 21, 2026. According to the Justice Department, he faces a statutory maximum sentence of 22 years in federal prison. However, any sentence the judge hands down in this case may be significantly tempered by a number of mitigating factors in the U.S. Sentencing Guidelines, including the defendant’s age, criminal history, time already served in U.S. custody, and the degree to which they cooperated with federal authorities.
With Total Insights Feed, Team Cymru want threat intelligence to have context, scoring, and analysis to speed decisions inside the SOC, not create more enrichment work after the alert.
Somebody went looking for Google’s new Antigravity coding tool this week, clicked download, ran the installer, and got exactly what they thought they were getting. Antigravity installed cleanly. A shortcut appeared on the desktop. The application opened and worked. Nothing looked or felt wrong.
But behind the scenes, that installer can give your accounts, your data, and even your machine to an attacker, without breaking anything the user can see.
In this article, we’ll break down the technical details of the campaign, how it works under the hood, and what to do if you think you’ve installed it.
Google Antigravity launched in November 2025 and has been one of the most searched-for developer tools on the web ever since. The real product lives at antigravity.google. Hardly anyone new to the product has the real URL memorized, so when a user reached a hyphenated lookalike (what we call a typosquat domain) at google-antigravity[.]com it was convincing enough at a glance.
So they went on to download the file, called Antigravity_v1.22.2.0.exe.
The installer isn’t simply named to look like the real one from Google. It’s 138 MB: large enough to carry the entire Antigravity application, its Electron runtime, its Vulkan graphics libraries, its updater, all of it. Because that is what is actually inside.
The attacker didn’t build a convincing fake; they took the genuine Antigravity installer, added one additional step to run their PowerShell script during setup, and repackaged the result. The malicious step is one extra line in a sequence that runs dozens of legitimate ones. Here’s what the Setup looked like:
How do we know it’s one line? Because you can see it.
The MSI’s custom-action table (the list of every step the installer takes during install) contains 11 rows that are standard, boilerplate entries the installer tool generates automatically: extract files, check the Windows version, elevate to admin, write a log, clean up afterwards. Each of those has a name that starts with AI_ followed by a description of what it does. And then, sitting at the bottom of the same list, there is one more row, named wefasgsdfg — a keyboard mash the attacker typed in when the installer tool prompted them for a name, and the one that runs their PowerShell script.
Antigravity installs properly into C:\Program Files (x86)\Google LLC\Antigravity\. A Start Menu entry appears, a desktop shortcut is placed, and everything works. The user opens the app, tries it, closes it, and goes on with their day. It all seems fine, because they actually installed the thing they wanted to install. The malicious part is happening quietly, in a folder they’ll never open.
Somewhere in the middle of the install, the MSI runs a small helper script that drops two PowerShell files into the user’s temporary folder: scr5020.ps1 and pss5032.ps1. The filenames look like specifics but aren’t: the four characters after each prefix are generated fresh every time the installer runs.
What stays constant is the prefix: scr for the user script, pss for the PowerShell wrapper, because those come from the installer tool’s standard naming pattern for custom-action scripts.
Of the two files, the second is an unaltered Advanced Installer utility. It’s genuinely innocent and present in many real products. The first was added by the attacker, and it has one job: open an HTTPS connection to https://opus-dsn[.]com/login/, download whatever code the server sends back, and run it. To blend in, it spoofs a Microsoft referrer header and routes through the system’s default web proxy, so it inherits whatever corporate proxy configuration and authentication IT has set up, without the user noticing. It also saves and restores the parent PowerShell’s TLS setting, leaving that one global unchanged after it exits. That’s the entire script.
Researchers call this pattern a downloader cradle, and its advantage to the attacker is flexibility. The real payload lives on their server, not inside the installer out in the wild, so they can swap it out, change targeting, or turn the operation off without touching the file users are downloading.
In this case, the cradle did exactly what it was built to do and no more: a DNS query for opus-dsn[.]com, a single TCP connection on port 443 to 89[.]124[.]96[.]27 with a quiet HTTPS GET to /login/, and then the PowerShell process exited.
Nothing else happened. No second-stage script was fetched. No file was dropped. No scheduled task was created. No changes were made to Windows Defender. Most automated security tools would shrug and move on.
But the malware hadn’t failed. It had introduced itself to the attacker’s server and asked for code to run next—and whether the answer comes back is a decision the operator gets to make later, on their own time, one victim at a time. You cannot tell, from the victim’s side, what was returned. For analysis, we retrieved what the server sends when the answer is yes.
When the server decides a target is worth attacking, the follow-on script does its work in three movements.
First, it makes Defender look the other way. It calls Add-MpPreference (with the cmdlet name split by a backtick, a small obfuscation to dodge naïve string-matching detections) to exclude %ProgramData% and %APPDATA% from scanning, exclude .exe, .msi, and .dll files from scanning, and exclude PowerShell, regasm.exe, rundll32.exe, msedge.exe, and chrome.exe from scanning. Only after that does it phone home—collecting a profile of the machine (Windows version, Active Directory domain, installed antivirus product), RSA-encrypting it with a public key embedded in the script, and sending it to opus-dsn[.]com inside a utm_content query parameter that looks, in any access log, like ordinary marketing tracking. This is the profile the operator uses to decide whether this particular machine is worth the next stage.
Second, it widens the gap. A second Add-MpPreference block extends the exclusion list to include the .png file extension and the conhost.exe process—the exact two additions the next stage will need. It then writes AmsiEnable=0 into HKLM\Software\Policies\Microsoft\Windows Script\Settings, disabling Windows’ Antimalware Scan Interface—the layer that normally lets Defender read scripts before they execute. After this point, the malicious activity is being conducted in folders, with file types, and through processes that Defender has been instructed to ignore.
Third, it stages persistence. It downloads a file called secret.png from https://captr.b-cdn[.]net/secret.png (a BunnyCDN URL that looks at a glance like any other content-delivery link) and saves it to C:\ProgramData\MicrosoftEdgeUpdate.png, a path chosen to sit beside Microsoft’s real browser-update folders. The file is not an image. It is an AES-256-CBC ciphertext (key and IV both derived via PBKDF2 with 10,000 iterations from a hardcoded passphrase) wrapping a .NET assembly. A scheduled task is then registered with the name MicrosoftEdgeUpdateTaskMachineCore{JBNEN-NQVNZJ-KJAN323-111}, which is all but indistinguishable at a glance from the real Microsoft Edge update task and set to fire at every logon, running unprivileged so it never produces a UAC prompt. The action it executes is conhost.exe --headless launching a hidden PowerShell, which decrypts the fake PNG in memory and reflectively loads the resulting .NET assembly into its own address space. Nothing lands on disk as an ordinary executable. All that persists is the encrypted image, in a folder Defender has been asked to ignore.
And then a second payload, that doesn’t persist at all. The script doesn’t stop there. After registering and starting the scheduled task, it sends a second beacon to confirm install, then runs an entirely separate block that downloads a second encrypted file (GGn.xml) from the same BunnyCDN host, decrypts it with a different, hardcoded AES key, and reflectively loads that assembly into the running PowerShell process too. The first payload survives reboots; this one runs once, in memory, and is gone. Two .NET assemblies, one campaign, on the victim.
The decrypted assembly is a .NET stealer. We can characterize it from its own class and method names, which describe its job in plain English: it scans browsers, messaging apps, gaming platforms, FTP clients, and crypto wallets, collecting data labeled Logins, Cookies, Autofills, and FtpConnections.
In practice, that means every Chromium- and Firefox-based browser on the machine (Chrome, Edge, Brave, and others) gets stripped of saved passwords, autofill data (including saved credit cards), and the cookies that keep users signed in. Discord tokens, Telegram sessions, Steam logins, FTP credentials, and cryptocurrency wallet files are taken as well.
(Most of the exact target paths are obfuscated and only decrypted at runtime, so the specific apps aren’t all visible from a static analysis, but the categories of theft are clear from the class names.)
Session cookies are the part that should alarm most people, because they work faster than anything else. A stolen login cookie lets an attacker walk straight into a Gmail inbox or banking portal without needing a password or triggering two-factor authentication. As far as the website is concerned, the user is already signed in. The gap between infection and account takeover can be minutes.
Beyond data theft, the malware also imports Windows APIs used for clipboard hijacking and keystroke logging, tools that can capture what you type or swap a cryptocurrency wallet address at the exact moment you send funds.
It also includes the building blocks for “hidden desktop” tradecraft: creating a second, invisible Windows desktop that the attacker can capture and potentially control. In its most advanced form, this lets an attacker operate inside that hidden environment—logging in to accounts, approving transactions, or sending messages—while the victim’s real screen shows nothing unusual. For the duration of the infection, the attacker is, effectively, a second presence on the computer.
The reason this campaign matters beyond the single installer is that its shape isn’t new. It’s a refined version of a pattern we’ve been watching for months: new AI products launch with huge attention, and within weeks, lookalike domains and trojanized installers appear alongside them. Antigravity is the latest example, but it won’t be the last.
The incentive for attackers is obvious. Every high-profile AI launch creates a surge of users who want to try it immediately, before they’ve had time to memorize the real URL, or might fail to double-check it against trusted sources.
What makes this style of campaign hard to spot is that most victims never know they were targeted. Those who escaped, because the operator chose not to escalate on their machine, have no reason to think anything happened.
The ones who didn’t escape usually find out later: a password reset they didn’t request, a friend asking about a strange message, or a bank balance that suddenly looks wrong. By then, the decision to target them was made days earlier.
If you or anyone who shares your computer recently installed something calling itself Google Antigravity from anywhere other than antigravity.google, start by checking the network indicators. Look in firewall logs, EDR alerts, or your router logs for connections to opus-dsn[.]com, captr.b-cdn[.]net, or 89[.]124[.]96[.]27. A single connection from a PowerShell process is enough to confirm the check-in happened.
File hashes (SHA-256)
61aca585687ec21a182342a40de3eaa12d3fc0d92577456cae0df37c3ed28e99 (Antigravity_v1.22.2.0.exe)
Network indicators
captr.b-cdn[.]net
google-antigravity[.]com
opus-dsn[.]com
89[.]124[.]96[.]27
According to CNET. Read their review →
Scammers have found a way to abuse legitimate Apple account notification emails to trick targets into calling fake tech support numbers.
According to a report from BleepingComputer, scammers create an Apple account and insert a phishing message into the personal information fields, then modify the account so that Apple sends a genuine security alert about the change to the target.
BleepingComputer was able to replicate the attack.
The attacker creates an Apple ID they control, then stuffs the phishing message into the personal information fields (first name, last name, possibly address), splitting it across fields because they will not fit into just one.
To launch the phish, the attacker changes something benign on their specially created Apple account, such as shipping information, which causes Apple’s systems to send a “Your Apple account was updated” security email.
While the original alert is addressed to the attacker’s iCloud email, they are then able to redistribute it to a wider victim list, for example through a mailing list.
In the copy the targets receive, the email headers still show a legitimate Apple sender, and the presence of the attacker’s iCloud address can even make it look like “someone else” has gained access to the account.
Because Apple includes those user-supplied fields in the security email, the phishing text is delivered inside a legitimate message sent from Apple’s own infrastructure.
This method, called call-back phishing, filters out suspicious users, so the scammers can focus on the people who fell for the first part.
The emails come from a legitimate source, sail through every security filter because of that, and look convincing enough to scare the receiver into thinking someone spent $899 from their PayPal account.
But the structure of the email does not make sense.
“Dear User” is immediately followed by the scam message where your name should have been. The header says it’s about account information rather than a purchase. And the iCloud account does not belong to the recipient. So, once you know how it’s done, they’re not impossible to spot. Which is why we wrote this blog.
And when in doubt, you can always ask Malwarebytes Scam Guard.
Asking Scam Guard
Scam Guard identified the screenshot as a scam and guides users through the next steps.
Scams like these work, because many users still view phone calls as more trustworthy than email, especially if the email itself passed all the usual technical authenticity checks and they initiated the call themselves.
Tech support scammers will try to convince callers to install some kind of remote desktop application to steal data from your computer, or ask for financial details so they can steal your money.
To stay safe from these scammers:
Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.
Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.
Some of the apps on your phone want your contacts. Most don’t need them all, but have been happily slurping up the lot for years. Google has decided to do something about that with the next version of Android.
Android 17 (currently in preview) is introducing a new Contact Picker that lets users grant apps access to specific contacts rather than the entire list.
Previously, any app that needed a single phone number had to request READ_CONTACTS. That’s a permission that handed over every name, email, and number. It’s the digital equivalent of handing someone your entire Rolodex because they asked for one business card.
An app that can harvest your entire contact list can map your social network, identify your family members, and potentially hand that data to whoever’s buying. So whenever you click “yes” to “show us all your contacts” it isn’t just your privacy you’re playing with.
From Android 17 onward, apps will need to be more specific about what contact data they access. Phone number? Fine. Email address? Sure. Your cousin’s mailing address? Not unless the app has a reason.
Google’s updated Play policy will require apps to use the Contact Picker or the Android Sharesheet as the main way to access contacts. READ_CONTACTS
Location permissions are also set to become more granular and privacy-friendly in Android 17.
Previously, apps could ask for your precise or general location, and you could allow it just once, any time you’re using the app, or not at all. The new button adds nuance by letting app developers ask for your location in the moment, tied to a specific action, like finding a local cafe.
There will also be a persistent indicator to let you know when an app is using your location, similar to the alerts for camera or microphone access. And you’ll be able to find out which apps are tracking you as well.
The tighter permissions management in Android 17 is a big deal for privacy advocates, because overly broad access is how data brokers build detailed profiles about you.
Those profiles can then be used for aggressive or invasive advertising, including scams.
Google timed these privacy announcements alongside its latest Ad Safety report, which says it blocked 8.3 billion policy-violating ads and suspended 24.9 million advertiser accounts in the last year.
The 8.3 billion figure is up from 2024, when Google blocked 5.1 billion ads. The increase suggests that the problem is getting worse, or that Google is getting better at catching it. Scam ads are a big part of that. In 2024, Google blocked 415 million scam-related ads. In 2025, that number grew to 602 million.
We’ll give Google credit for trying to tackle this problem from both ends—limiting data collection and cracking down on the kinds of ads that use that data maliciously. But there’s still a sense that it’s not doing quite enough.
Yes, the Android 17 permission changes are good for users, but granular contact access should have been the default years ago. Apple has been doing it for 18 months in iOS 18, and even that was years too late, in our opinion.
And while Google says it caught over 99% of violations before users ever saw them, 1% of an insanely large number is still insanely large.
The ads that still get through are damaging. In December, we reported on sponsored search results pointing to malicious AI chats that instructed people to install infostealer malware. Why does Google run ads that look like search results? Because its business model is driven by advertising revenue. At least it’s making it easier to hide them now.
So we’ll give a cautious hand clap to Google. It’s moving in the right direction. But stories about how it knowingly giving kids’ data inappropriately to advertisers or misusing health data still give us pause.
Scammers know more about you than you think.
Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in.
This week on the Lock and Code podcast…
A dreadful thing happens far too often whenever an older adult falls for a scam: They get blamed for it. Not the scammers who lied and cheated their victim out of money. Not law enforcement for failing to recover funds. Not even the Big Tech companies that could have the most important role in protecting people online—and which, it turns out, knowingly bring in revenue every year from fraud.
Instead, it is the older adults themselves whose stories are often shirked aside because of a mix of ageism and denial. Allegedly left behind by technology, only an octogenarian would hand their password over in a phishing scheme, or open an email attachment from a stranger, or send money to a fake charity online. Everyone else, everyone else believes, is too savvy for the same.
The data disagrees.
When Malwarebytes studied this last year, it found that, depending on the type of scam—especially for things like “sextortion”—younger individuals were far more likely to report falling victim. Further, digging into data from the US Federal Trade Commission revealed entirely separate patterns. For example, while Americans between the ages of 80 and 89 reported the highest median loss due to fraud in 2024, they also made up the smallest share of their population to report a loss at all. And in 2025, that same group represented the smallest share of reported identity theft, a crime far more likely to be reported by people between 30 and 39.
Questions about who reports what crimes at what rate are valid to explore, but it’s important to see the big picture: Americans lost at least $15.9 billion to fraud last year. Protecting older adults is actually about protecting everyone, and that’s because modern scams don’t arrive only where people over 70 spend time. They arrive where we all are, which is online. They come through endless text messages, they slide into social media DMs, and they prey on things any of us can be—a widow, a divorcee, or simply a lonely person.
According to Marti DeLiema, Assistant Professor at the University of Minnesota’s School of Social Work, scams and fraud are now the most common form of organized crime globally, rivaling weapons trafficking, drug trafficking, human trafficking, and sex trafficking. In 2024 alone, she said, the FTC estimated that older adults in the US had as much as $81.5 billion stolen from them. And the tools meant to fight back—broad consumer awareness campaigns, embedded warning messages at the point of transaction, the training of bank tellers and retail clerks—are nowhere near keeping pace.
So what actually works? And who, if anyone, is doing the work?
Today, on the Lock and Code podcast with host David Ruiz, we speak with DeLiema about who is really susceptible to financial fraud, why victims often describe a scam as a form of betrayal trauma, and why the companies best positioned to stop scam messages from reaching consumers may be the ones least motivated to do so.
“This is not a technical capability problem at all. This is a conflict of incentives.”
Tune in today to listen to the full conversation.
Show notes and credits:
Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)
Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.
Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.
The National Institute of Standards and Technology (NIST) is narrowing how it analyzes and scores software vulnerabilities, citing a sharp increase in submissions that has made it difficult to keep pace.
“For years, security teams relied on NVD for vulnerability context to support prioritization decisions. But that model is under real strain,” said Ian Gray, VP of Intelligence at Flashpoint in an email to eSecurityPlanet.
He added, “CVE submissions have grown 263% between 2020 and 2025, and NIST can no longer keep pace by enriching everything.”
NIST maintains the National Vulnerability Database (NVD), which enhances MITRE’s CVE system with CVSS scores, affected product details, and links to advisories and patches.
This enrichment has helped security teams prioritize remediation efforts by making raw vulnerability data more actionable.
However, as vulnerability disclosures continue to surge, NIST is adjusting how it allocates its resources.
According to the agency, submission volumes have increased by more than 260% in recent years and are still rising into 2026.
While NIST enriched roughly 42,000 vulnerabilities in 2025, it noted that maintaining the same level of detailed analysis for every new CVE is no longer sustainable at current volumes.
Under a new prioritization approach that took effect Apr. 15, NIST will focus its enrichment efforts on a narrower set of high-impact vulnerabilities.
This includes those listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, vulnerabilities affecting U.S. federal systems, and issues tied to critical software identified under Executive Order 14028.
For these cases, NIST will continue providing full analysis, including standardized severity scoring and product mapping.
All other vulnerabilities will still be published in the NVD but may no longer receive the same level of enrichment.
Instead, they will rely primarily on severity scores and details provided by the originating CVE Numbering Authority (CNA), such as a vendor or security organization.
These entries may be labeled as “Not Scheduled” for further NIST analysis, meaning they could lack consistent CVSS scoring or additional technical context from NIST.
This shift could introduce challenges for organizations that depend on NVD data for vulnerability management, particularly when assessing risk across large or complex environments.
CNA-provided data can vary in quality and depth, which may require security teams to spend more time validating and supplementing vulnerability information.
NIST acknowledged these limitations and noted that some impactful vulnerabilities may fall outside its prioritization criteria.
To help address gaps, the agency has introduced a process for requesting additional analysis on specific CVEs, allowing organizations to seek enrichment when needed.
Security teams may need to adjust how they triage and prioritize vulnerabilities in light of reduced NVD enrichment. Recommended steps include:
Collectively, these steps help organizations build resilience and reduce exposure by strengthening visibility and decision-making across vulnerability data sources.
NIST’s move reflects a broader trend in cybersecurity: the growing challenge of scale.
As vulnerability disclosures continue to rise — driven in part by AI-assisted discovery techniques and automated research — centralized resources like the NVD are under increasing pressure to balance completeness with usability.
At the same time, AI is lowering the barrier for attackers to identify and potentially exploit weaknesses more quickly, further compressing response timelines.
As prioritization becomes necessary, more responsibility shifts to individual organizations to interpret and act on incomplete or inconsistent data.
It also reinforces the need for context-driven vulnerability management, where decisions are based not just on external severity scores, but also on asset criticality, exploitability, and real-world threat activity.
This shift highlights the value of zero trust solutions, which help organizations limit exposure and enforce consistent access controls even as vulnerability management becomes more complex and decentralized.
The post NIST Scales Back Vulnerability Scoring in 2026 as CVE Volume Surges appeared first on eSecurity Planet.
The agents are the foundation of ConnectWise's new Modern Threat Protection model, which promises a 15-minute SLA for MDR and SIEM.
Anthropic’s most capable model to date, Claude Mythos Preview (aka Mythos), has been described as a “step change” in AI performance, especially on cybersecurity tasks.
Anthropic tried to keep Mythos a secret until a few weeks ago, when a data leak revealed the existence of what the company said was its most powerful artificial intelligence to date. The models is seen as both a powerful defensive tool, and, potentially, a serious offensive cyberweapon.
For that reason, the company is sharply limiting access and signaling it does not plan to release it broadly to the market right now. Its reported ability to autonomously find and even chain software vulnerabilities at scale sit at the core of both the hype and the danger.
Imagine a tool that can independently find new vulnerabilities in software, systems, and platforms, then turn them into exploits, even if that requires chaining them with other vulnerabilities.
In the wrong hands, that could be a major threat to our cyber safety. So Anthropic has limited access to a small number of organizations worldwide, including major tech firms and a select group of government or security bodies. The NSA is reportedly already using Mythos Preview, apparently to stress‑test and harden sensitive systems, despite the Pentagon labelling Anthropic as a supply chain risk.
Mythos can discover vulnerabilities across large codebases more quickly and reliably than existing tools, and can look for multiple flaws in one system and combine them into multi‑step exploit chains to complete a compromise (for example, going from a simple web bug to a full domain takeover). It would take a bug bounty hunter months to find another vulnerability, let alone one chainable with the one(s) already discovered. Accomplishing that before the first one would be highly unlikely.
In practical terms, that could mean faster attacks, more complex breaches, and less time for companies to fix weaknesses before they’re exploited.
Anthropic itself has highlighted that Mythos can work with minimal supervision for extended periods, meaning it could run systematic attack campaigns at a scale no human team could accomplish.
Anthropic flagged these security risks in an internal document:
But the most concerning conclusion was that the offensive side is iterating faster in the current phase of AI development, and security teams are generally later adopters of AI tooling than their adversaries.
As we know, AI in cybersecurity works both ways. It helps us defend against new threats, but it can also be used to create them. Which is why, in the wrong hands, Mythos can turn out to be a formidable adversary.
The goal stays the same, but the way to get there is paved by tools like Mythos. From the attacker’s seat, nothing about the destination is new. The novelty is that Mythos now automates the map, the vehicle, and most of the driving.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Cloud development platform Vercel has confirmed a security incident involving unauthorized access to internal systems, after a threat actor claimed to be selling stolen company data online.
“We’ve identified a security incident that involved unauthorized access to certain internal Vercel systems,” said the company in its advisory.
Vercel sits at the center of modern web development workflows, providing hosting, deployment, and serverless infrastructure for applications built with frameworks like Next.js.
That position makes it a high-value target: access to internal systems could expose not just the platform, but also developer environments, CI/CD pipelines, and dependent production applications.
According to BleepingComputer, the threat actor claims access to sensitive internal data, raising concerns about the exposure of credentials, source code, and deployment systems.
The threat actor — claiming affiliation with the ShinyHunters group — alleges they are selling access to Vercel data, including API keys, database contents, and internal deployment infrastructure.
In forum posts, the actor claimed to possess credentials such as GitHub and npm tokens, along with access to multiple employee accounts that could be used to interact with internal systems.
To support these claims, the attacker shared a sample dataset reportedly containing 580 employee records, including names, corporate email addresses, account status, and activity timestamps.
A screenshot of what appears to be an internal enterprise dashboard was also posted.
However, neither the dataset nor the screenshot has been independently verified, leaving uncertainty around the scope and authenticity of the alleged breach.
If the claims prove accurate, the incident points to a potential compromise of systems tied to identity and access management or development workflows.
Exposed API keys or tokens could allow attackers to access code repositories, manipulate deployment pipelines, or interact with production services — effectively turning a single compromised entry point into broader environment control.
The threat actor also claimed to have discussed a $2 million ransom demand with Vercel, though the company has not confirmed whether any such negotiations are taking place.
In response to potential credential exposure or unauthorized access, organizations should take steps to reduce risk and secure their environments.
Issues affecting development platforms can extend beyond a single system, impacting pipelines, integrations, and production workloads.
Together, these measures help organizations build resilience and contain potential incidents by reducing the blast radius of any single point of compromise.
This incident reflects a broader shift, with attackers increasingly targeting developer platforms and cloud-native infrastructure as centralized points of access.
Rather than focusing on individual applications, they are aiming at services that manage code, deployments, and credentials at scale.
As organizations adopt more integrated and serverless architectures, the potential impact of a single compromise can extend across multiple systems.
This shift underscores the need for zero trust solutions that help limit access and reduce implicit trust across environments.
The post Vercel Confirms Security Incident as Threat Actor Claims Stolen Data for Sale appeared first on eSecurity Planet.
The next layer of MSSP value is not simply “more AI” - It is controlled AI: securing non-human identities, governing AI agents, and building services around automation without losing oversight.
A critical flaw in Nginx UI is being actively exploited in the wild, allowing unauthenticated users to perform privileged actions through an unprotected endpoint. Administrators are urged to patch immediately and restrict public access to management interfaces.
The EngageLab SDK vulnerability affecting over 50 million Android users was disclosed by Microsoft. The flaw allows malicious apps to exploit trusted permissions through an intent-redirection bug. Users should update to the latest version and audit third-party SDK dependencies.
Researchers also uncovered NWHStealer, a Windows infostealer distributed through fake Proton VPN sites and gaming mods hosted on GitHub and YouTube. The malware exfiltrates credentials and cryptocurrency data via encrypted channels and Telegram fallbacks. Experts recommend downloading software only from verified sources and enforcing application allowlisting.
The newly discovered AgingFly malware is targeting Ukrainian government, defense, and healthcare institutions. Written in C#, it steals browser and WhatsApp data while dynamically compiling command handlers to evade detection. CERT-UA attributes the campaign to threat group UAC-0247.
Anthropic’s Project Glasswing demonstrated AI’s ability to autonomously identify and exploit vulnerabilities at scale, signaling a potential paradigm shift in both offensive and defensive cybersecurity. Experts urge caution until independent validation confirms its reliability.
A sophisticated Apple-themed phishing scam is draining user bank accounts by impersonating Apple support alerts. Victims are tricked into contacting fraudulent hotlines, leading to credential theft and financial loss. The campaign underscores the persistent danger of social engineering tactics.
Comcast agreed to a $117.5 million settlement following a 2023 cyberattack that exposed sensitive data of over 30 million customers. Eligible users can claim up to $10,000 for losses, with hearings scheduled for July 2026 and claims due by August 14, 2026.
A ransomware attack on ChipSoft disrupted multiple Dutch hospitals by crippling the HiX EHR platform, halting patient care and operations. The incident highlights the fragility of healthcare infrastructure and the continued threat of ransomware to critical services.
OpenAI launched GPT-5.4-Cyber, a specialized model for cybersecurity professionals focusing on vulnerability research and reverse engineering. Access is restricted to vetted experts under the Trusted Access for Cyber program.
Meanwhile, OpenAI paused its Stargate UK project, citing high energy costs and regulatory uncertainty, putting 5,000 jobs at risk and impacting national AI ambitions.
Oracle announced layoffs of up to 12,000 employees in India as part of a restructuring to fund a $156 billion AI initiative, signaling a major shift in workforce and investment priorities.
The U.S. government is considering expanding its China tech ban to include telecom and data center infrastructure, a move that could reshape global AI supply chains and raise short-term costs.
Nutanix announced partnerships with NetApp and MongoDB to enhance hybrid multicloud operations, enabling faster VM migrations and automated cluster management. The company also introduced Agentic AI for secure, billable AI workloads.
Google’s NotebookLM integration with Gemini 1.5 Pro enables large-scale research automation, reducing hallucinations and improving cross-document reasoning.
Are Your Browser Extensions Putting You at Risk? Security experts recommend:
Implement a robust data encryption policy to ensure consistent protection across systems and data types. Tailor encryption standards to organizational risk profiles and compliance requirements.
With deepfake scams on the rise, organizations are urged to prepare by:
In response to the Adobe Acrobat zero-day exploit, users should:
Adopt smart controls for Infrastructure as Code using large language models (LLMs) to detect misconfigurations before deployment. Automate policy enforcement and integrate validator scripts into CI/CD pipelines to enhance cloud security posture.
The Best Remote Monitoring and Management Software 2026 guide highlights top RMM tools that streamline onboarding, monitoring, and reporting for IT teams.
Developers planning infrastructure modernization can consult the Apache Spark 3 to 4 migration guide for insights into performance improvements, Java 17 compatibility, and ANSI SQL defaults.
For cloud architects, CockroachDB on AWS offers a resource on building resilient distributed SQL systems for scalable applications.
Organizations hiring for legacy systems can leverage the Mainframe Systems Programmer Hiring Kit to identify candidates with the right technical and industry experience.
Finally, engineers can explore FinOps for Engineers to transform cloud billing into actionable runtime metrics, improving cost visibility and operational efficiency.
If you want to see more from our Newsletter Archive please click here.
The post Critical Exploits, AI Shifts, and Major Breaches Redefine Cybersecurity This Week appeared first on eSecurity Planet.
Microsoft today pushed software updates to fix a staggering 167 security vulnerabilities in its Windows operating systems and related software, including a SharePoint Server zero-day and a publicly disclosed weakness in Windows Defender dubbed “BlueHammer.” Separately, Google Chrome fixed its fourth zero-day of 2026, and an emergency update for Adobe Reader nixes an actively exploited flaw that can lead to remote code execution.
Redmond warns that attackers are already targeting CVE-2026-32201, a vulnerability in Microsoft SharePoint Server that allows attackers to spoof trusted content or interfaces over a network.
Mike Walters, president and co-founder of Action1, said CVE-2026-32201 can be used to deceive employees, partners, or customers by presenting falsified information within trusted SharePoint environments.
“This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise,” Walters said. “The presence of active exploitation significantly increases organizational risk.”
Microsoft also addressed BlueHammer (CVE-2026-33825), a privilege escalation bug in Windows Defender. According to BleepingComputer, the researcher who discovered the flaw published exploit code for it after notifying Microsoft and growing exasperated with their response. Will Dormann, senior principal vulnerability analyst at Tharros, says he confirmed that the public BlueHammer exploit code no longer works after installing today’s patches.
Satnam Narang, senior staff research engineer at Tenable, said April marks the second-biggest Patch Tuesday ever for Microsoft. Narang also said there are indications that a zero-day flaw Adobe patched in an emergency update on April 11 — CVE-2026-34621 — has seen active exploitation since at least November 2025.
Adam Barnett, lead software engineer at Rapid7, called the patch total from Microsoft today “a new record in that category” because it includes nearly 60 browser vulnerabilities. Barnett said it might be tempting to imagine that this sudden spike was tied to the buzz around the announcement a week ago today of Project Glasswing — a much-hyped but still unreleased new AI capability from Anthropic that is reportedly quite good at finding bugs in a vast array of software.
But he notes that Microsoft Edge is based on the Chromium engine, and the Chromium maintainers acknowledge a wide range of researchers for the vulnerabilities which Microsoft republished last Friday.
“A safe conclusion is that this increase in volume is driven by ever-expanding AI capabilities,” Barnett said. “We should expect to see further increases in vulnerability reporting volume as the impact of AI models extend further, both in terms of capability and availability.”
Finally, no matter what browser you use to surf the web, it’s important to completely close out and restart the browser periodically. This is really easy to put off (especially if you have a bajillion tabs open at any time) but it’s the only way to ensure that any available updates get installed. For example, a Google Chrome update released earlier this month fixed 21 security holes, including the high-severity zero-day flaw CVE-2026-5281.
For a clickable, per-patch breakdown, check out the SANS Internet Storm Center Patch Tuesday roundup. Running into problems applying any of these updates? Leave a note about it in the comments below and there’s a decent chance someone here will pipe in with a solution.
Hackers linked to Russia’s military intelligence units are using known flaws in older Internet routers to mass harvest authentication tokens from Microsoft Office users, security experts warned today. The spying campaign allowed state-backed Russian hackers to quietly siphon authentication tokens from users on more than 18,000 networks without deploying any malicious software or code.
Microsoft said in a blog post today it identified more than 200 organizations and 5,000 consumer devices that were caught up in a stealthy but remarkably simple spying network built by a Russia-backed threat actor known as “Forest Blizzard.”
How targeted DNS requests were redirected at the router. Image: Black Lotus Labs.
Also known as APT28 and Fancy Bear, Forest Blizzard is attributed to the military intelligence units within Russia’s General Staff Main Intelligence Directorate (GRU). APT 28 famously compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.
Researchers at Black Lotus Labs, a security division of the Internet backbone provider Lumen, found that at the peak of its activity in December 2025, Forest Blizzard’s surveillance dragnet ensnared more than 18,000 Internet routers that were mostly unsupported, end-of-life routers, or else far behind on security updates. A new report from Lumen says the hackers primarily targeted government agencies—including ministries of foreign affairs, law enforcement, and third-party email providers.
Black Lotus Security Engineer Ryan English said the GRU hackers did not need to install malware on the targeted routers, which were mainly older Mikrotik and TP-Link devices marketed to the Small Office/Home Office (SOHO) market. Instead, they used known vulnerabilities to modify the Domain Name System (DNS) settings of the routers to include DNS servers controlled by the hackers.
As the U.K.’s National Cyber Security Centre (NCSC) notes in a new advisory detailing how Russian cyber actors have been compromising routers, DNS is what allows individuals to reach websites by typing familiar addresses, instead of associated IP addresses. In a DNS hijacking attack, bad actors interfere with this process to covertly send users to malicious websites designed to steal login details or other sensitive information.
English said the routers attacked by Forest Blizzard were reconfigured to use DNS servers that pointed to a handful of virtual private servers controlled by the attackers. Importantly, the attackers could then propagate their malicious DNS settings to all users on the local network, and from that point forward intercept any OAuth authentication tokens transmitted by those users.
DNS hijacking through router compromise. Image: Microsoft.
Because those tokens are typically transmitted only after the user has successfully logged in and gone through multi-factor authentication, the attackers could gain direct access to victim accounts without ever having to phish each user’s credentials and/or one-time codes.
“Everyone is looking for some sophisticated malware to drop something on your mobile devices or something,” English said. “These guys didn’t use malware. They did this in an old-school, graybeard way that isn’t really sexy but it gets the job done.”
Microsoft refers to the Forest Blizzard activity as using DNS hijacking “to support post-compromise adversary-in-the-middle (AiTM) attacks on Transport Layer Security (TLS) connections against Microsoft Outlook on the web domains.” The software giant said while targeting SOHO devices isn’t a new tactic, this is the first time Microsoft has seen Forest Blizzard using “DNS hijacking at scale to support AiTM of TLS connections after exploiting edge devices.”
Black Lotus Labs engineer Danny Adamitis said it will be interesting to see how Forest Blizzard reacts to today’s flurry of attention to their espionage operation, noting that the group immediately switched up its tactics in response to a similar NCSC report (PDF) in August 2025. At the time, Forest Blizzard was using malware to control a far more targeted and smaller group of compromised routers. But Adamitis said the day after the NCSC report, the group quickly ditched the malware approach in favor of mass-altering the DNS settings on thousands of vulnerable routers.
“Before the last NCSC report came out they used this capability in very limited instances,” Adamitis told KrebsOnSecurity. “After the report was released they implemented the capability in a more systemic fashion and used it to target everything that was vulnerable.”
TP-Link was among the router makers facing a complete ban in the United States. But on March 23, the U.S. Federal Communications Commission (FCC) took a much broader approach, announcing it would no longer certify consumer-grade Internet routers that are produced outside of the United States.
The FCC warned that foreign-made routers had become an untenable national security threat, and that poorly-secured routers present “a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons.”
Experts have countered that few new consumer-grade routers would be available for purchase under this new FCC policy (besides maybe Musk’s Starlink satellite Internet routers, which are produced in Texas). The FCC says router makers can apply for a special “conditional approval” from the Department of War or Department of Homeland Security, and that the new policy does not affect any previously-purchased consumer-grade routers.
An elusive hacker who went by the handle “UNKN” and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face. Authorities in Germany say 31-year-old Russian Daniil Maksimovich Shchukin headed both cybercrime gangs and helped carry out at least 130 acts of computer sabotage and extortion against victims across the country between 2019 and 2021.
Shchukin was named as UNKN (a.k.a. UNKNOWN) in an advisory published by the German Federal Criminal Police (the “Bundeskriminalamt” or BKA for short). The BKA said Shchukin and another Russian — 43-year-old Anatoly Sergeevitsch Kravchuk — extorted nearly $2 million euros across two dozen cyberattacks that caused more than 35 million euros in total economic damage.
Daniil Maksimovich SHCHUKIN, a.k.a. UNKN, and Anatoly Sergeevitsch Karvchuk, alleged leaders of the GandCrab and REvil ransomware groups.
Germany’s BKA said Shchukin acted as the head of one of the largest worldwide operating ransomware groups GandCrab and REvil, which pioneered the practice of double extortion — charging victims once for a key needed to unlock hacked systems, and a separate payment in exchange for a promise not to publish stolen data.
Shchukin’s name appeared in a Feb. 2023 filing (PDF) from the U.S. Justice Department seeking the seizure of various cryptocurrency accounts associated with proceeds from the REvil ransomware gang’s activities. The government said the digital wallet tied to Shchukin contained more than $317,000 in ill-gotten cryptocurrency.
The GandCrab ransomware affiliate program first surfaced in January 2018, and paid enterprising hackers huge shares of the profits just for hacking into user accounts at major corporations. The GandCrab team would then try to expand that access, often siphoning vast amounts of sensitive and internal documents in the process. The malware’s curators shipped five major revisions to the GandCrab code, each corresponding with sneaky new features and bug fixes aimed at thwarting the efforts of computer security firms to stymie the spread of the malware.
On May 31, 2019, the GandCrab team announced the group was shutting down after extorting more than $2 billion from victims. “We are a living proof that you can do evil and get off scot-free,” GandCrab’s farewell address famously quipped. “We have proved that one can make a lifetime of money in one year. We have proved that you can become number one by general admission, not in your own conceit.”
The REvil ransomware affiliate program materialized around the same as GandCrab’s demise, fronted by a user named UNKNOWN who announced on a Russian cybercrime forum that he’d deposited $1 million in the forum’s escrow to show he meant business. By this time, many cybersecurity experts had concluded REvil was little more than a reorganization of GandCrab.
UNKNOWN also gave an interview to Dmitry Smilyanets, a former malicious hacker hired by Recorded Future, wherein UNKNOWN described a rags-to-riches tale unencumbered by ethics and morals.
“As a child, I scrounged through the trash heaps and smoked cigarette butts,” UNKNOWN told Recorded Future. “I walked 10 km one way to the school. I wore the same clothes for six months. In my youth, in a communal apartment, I didn’t eat for two or even three days. Now I am a millionaire.”
As described in The Ransomware Hunting Team by Renee Dudley and Daniel Golden, UNKNOWN and REvil reinvested significant earnings into improving their success and mirroring practices of legitimate businesses. The authors wrote:
“Just as a real-world manufacturer might hire other companies to handle logistics or web design, ransomware developers increasingly outsourced tasks beyond their purview, focusing instead on improving the quality of their ransomware. The higher quality ransomware—which, in many cases, the Hunting Team could not break—resulted in more and higher pay-outs from victims. The monumental payments enabled gangs to reinvest in their enterprises. They hired more specialists, and their success accelerated.”
“Criminals raced to join the booming ransomware economy. Underworld ancillary service providers sprouted or pivoted from other criminal work to meet developers’ demand for customized support. Partnering with gangs like GandCrab, ‘cryptor’ providers ensured ransomware could not be detected by standard anti-malware scanners. ‘Initial access brokerages’ specialized in stealing credentials and finding vulnerabilities in target networks, selling that access to ransomware operators and affiliates. Bitcoin “tumblers” offered discounts to gangs that used them as a preferred vendor for laundering ransom payments. Some contractors were open to working with any gang, while others entered exclusive partnerships.”
REvil would evolve into a feared “big-game-hunting” machine capable of extracting hefty extortion payments from victims, largely going after organizations with more than $100 million in annual revenues and fat new cyber insurance policies that were known to pay out.
Over the July 4, 2021 weekend in the United States, REvil hacked into and extorted Kaseya, a company that handled IT operations for more than 1,500 businesses, nonprofits and government agencies. The FBI would later announce they’d infiltrated the ransomware group’s servers prior to the Kaseya hack but couldn’t tip their hand at the time. REvil never recovered from that core compromise, or from the FBI’s release of a free decryption key for REvil victims who couldn’t or didn’t pay.
Shchukin is from Krasnodar, Russia and is thought to reside there, the BKA said.
“Based on the investigations so far, it is assumed that the wanted person is abroad, presumably in Russia,” the BKA advised. “Travel behaviour cannot be ruled out.”
There is little that connects Shchukin to UNKNOWN’s various accounts on the Russian crime forums. But a review of the Russian crime forums indexed by the cyber intelligence firm Intel 471 shows there is plenty connecting Shchukin to a hacker identity called “Ger0in” who operated large botnets and sold “installs” — allowing other cybercriminals to rapidly deploy malware of their choice to thousands of PCs in one go. However, Ger0in was only active between 2010 and 2011, well before UNKNOWN’s appearance as the REvil front man.
A review of the mugshots released by the BKA at the image comparison site Pimeyes found a match on this birthday celebration from 2023, which features a young man named Daniel wearing the same fancy watch as in the BKA photos.
Images from Daniil Shchukin’s birthday party celebration in Krasnodar in 2023.
Update, April 6, 12:06 p.m. ET: A reader forwarded this English-dubbed audio recording from a ccc.de (37C3) conference talk in Germany from 2023 that previously outed Shchukin as the REvil leader (Shchuckin is mentioned at around 24:25).
A financially motivated data theft and extortion group is attempting to inject itself into the Iran war, unleashing a worm that spreads through poorly secured cloud services and wipes data on infected systems that use Iran’s time zone or have Farsi set as the default language.
Experts say the wiper campaign against Iran materialized this past weekend and came from a relatively new cybercrime group known as TeamPCP. In December 2025, the group began compromising corporate cloud environments using a self-propagating worm that went after exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability. TeamPCP then attempted to move laterally through victim networks, siphoning authentication credentials and extorting victims over Telegram.
A snippet of the malicious CanisterWorm that seeks out and destroys data on systems that match Iran’s timezone or have Farsi as the default language. Image: Aikido.dev.
In a profile of TeamPCP published in January, the security firm Flare said the group weaponizes exposed control planes rather than exploiting endpoints, predominantly targeting cloud infrastructure over end-user devices, with Azure (61%) and AWS (36%) accounting for 97% of compromised servers.
“TeamPCP’s strength does not come from novel exploits or original malware, but from the large-scale automation and integration of well-known attack techniques,” Flare’s Assaf Morag wrote. “The group industrializes existing vulnerabilities, misconfigurations, and recycled tooling into a cloud-native exploitation platform that turns exposed infrastructure into a self-propagating criminal ecosystem.”
On March 19, TeamPCP executed a supply chain attack against the vulnerability scanner Trivy from Aqua Security, injecting credential-stealing malware into official releases on GitHub actions. Aqua Security said it has since removed the harmful files, but the security firm Wiz notes the attackers were able to publish malicious versions that snarfed SSH keys, cloud credentials, Kubernetes tokens and cryptocurrency wallets from users.
Over the weekend, the same technical infrastructure TeamPCP used in the Trivy attack was leveraged to deploy a new malicious payload which executes a wiper attack if the user’s timezone and locale are determined to correspond to Iran, said Charlie Eriksen, a security researcher at Aikido. In a blog post published on Sunday, Eriksen said if the wiper component detects that the victim is in Iran and has access to a Kubernetes cluster, it will destroy data on every node in that cluster.
“If it doesn’t it will just wipe the local machine,” Eriksen told KrebsOnSecurity.
Image: Aikido.dev.
Aikido refers to TeamPCP’s infrastructure as “CanisterWorm” because the group orchestrates their campaigns using an Internet Computer Protocol (ICP) canister — a system of tamperproof, blockchain-based “smart contracts” that combine both code and data. ICP canisters can serve Web content directly to visitors, and their distributed architecture makes them resistant to takedown attempts. These canisters will remain reachable so long as their operators continue to pay virtual currency fees to keep them online.
Eriksen said the people behind TeamPCP are bragging about their exploits in a group on Telegram and claim to have used the worm to steal vast amounts of sensitive data from major companies, including a large multinational pharmaceutical firm.
“When they compromised Aqua a second time, they took a lot of GitHub accounts and started spamming these with junk messages,” Eriksen said. “It was almost like they were just showing off how much access they had. Clearly, they have an entire stash of these credentials, and what we’ve seen so far is probably a small sample of what they have.”
Security experts say the spammed GitHub messages could be a way for TeamPCP to ensure that any code packages tainted with their malware will remain prominent in GitHub searches. In a newsletter published today titled GitHub is Starting to Have a Real Malware Problem, Risky Business reporter Catalin Cimpanu writes that attackers often are seen pushing meaningless commits to their repos or using online services that sell GitHub stars and “likes” to keep malicious packages at the top of the GitHub search page.
This weekend’s outbreak is the second major supply chain attack involving Trivy in as many months. At the end of February, Trivy was hit as part of an automated threat called HackerBot-Claw, which mass exploited misconfigured workflows in GitHub Actions to steal authentication tokens.
Eriksen said it appears TeamPCP used access gained in the first attack on Aqua Security to perpetrate this weekend’s mischief. But he said there is no reliable way to tell whether TeamPCP’s wiper actually succeeded in trashing any data from victim systems, and that the malicious payload was only active for a short time over the weekend.
“They’ve been taking [the malicious code] up and down, rapidly changing it adding new features,” Eriksen said, noting that when the malicious canister wasn’t serving up malware downloads it was pointing visitors to a Rick Roll video on YouTube.
“It’s a little all over the place, and there’s a chance this whole Iran thing is just their way of getting attention,” Eriksen said. “I feel like these people are really playing this Chaotic Evil role here.”
Cimpanu observed that supply chain attacks have increased in frequency of late as threat actors begin to grasp just how efficient they can be, and his post documents an alarming number of these incidents since 2024.
“While security firms appear to be doing a good job spotting this, we’re also gonna need GitHub’s security team to step up,” Cimpanu wrote. “Unfortunately, on a platform designed to copy (fork) a project and create new versions of it (clones), spotting malicious additions to clones of legitimate repos might be quite the engineering problem to fix.”
Update, 2:40 p.m. ET: Wiz is reporting that TeamPCP also pushed credential stealing malware to the KICS vulnerability scanner from Checkmarx, and that the scanner’s GitHub Action was compromised between 12:58 and 16:50 UTC today (March 23rd).
The U.S. Justice Department joined authorities in Canada and Germany in dismantling the online infrastructure behind four highly disruptive botnets that compromised more than three million Internet of Things (IoT) devices, such as routers and web cameras. The feds say the four botnets — named Aisuru, Kimwolf, JackSkid and Mossad — are responsible for a series of recent record-smashing distributed denial-of-service (DDoS) attacks capable of knocking nearly any target offline.
Image: Shutterstock, @Elzicon.
The Justice Department said the Department of Defense Office of Inspector General’s (DoDIG) Defense Criminal Investigative Service (DCIS) executed seizure warrants targeting multiple U.S.-registered domains, virtual servers, and other infrastructure involved in DDoS attacks against Internet addresses owned by the DoD.
The government alleges the unnamed people in control of the four botnets used their crime machines to launch hundreds of thousands of DDoS attacks, often demanding extortion payments from victims. Some victims reported tens of thousands of dollars in losses and remediation expenses.
The oldest of the botnets — Aisuru — issued more than 200,000 attacks commands, while JackSkid hurled at least 90,000 attacks. Kimwolf issued more than 25,000 attack commands, the government said, while Mossad was blamed for roughy 1,000 digital sieges.
The DOJ said the law enforcement action was designed to prevent further infection to victim devices and to limit or eliminate the ability of the botnets to launch future attacks. The case is being investigated by the DCIS with help from the FBI’s field office in Anchorage, Alaska, and the DOJ’s statement credits nearly two dozen technology companies with assisting in the operation.
“By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks,” said Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office.
Aisuru emerged in late 2024, and by mid-2025 it was launching record-breaking DDoS attacks as it rapidly infected new IoT devices. In October 2025, Aisuru was used to seed Kimwolf, an Aisuru variant which introduced a novel spreading mechanism that allowed the botnet to infect devices hidden behind the protection of the user’s internal network.
On January 2, 2026, the security firm Synthient publicly disclosed the vulnerability Kimwolf was using to propagate so quickly. That disclosure helped curtail Kimwolf’s spread somewhat, but since then several other IoT botnets have emerged that effectively copy Kimwolf’s spreading methods while competing for the same pool of vulnerable devices. According to the DOJ, the JackSkid botnet also sought out systems on internal networks just like Kimwolf.
The DOJ said its disruption of the four botnets coincided with “law enforcement actions” conducted in Canada and Germany targeting individuals who allegedly operated those botnets, although no further details were available on the suspected operators.
In late February, KrebsOnSecurity identified a 22-year-old Canadian man as a core operator of the Kimwolf botnet. Multiple sources familiar with the investigation told KrebsOnSecurity the other prime suspect is a 15-year-old living in Germany.
A hacktivist group with links to Iran’s intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan. News reports out of Ireland, Stryker’s largest hub outside of the United States, said the company sent home more than 5,000 workers there today. Meanwhile, a voicemail message at Stryker’s main U.S. headquarters says the company is currently experiencing a building emergency.
Based in Kalamazoo, Michigan, Stryker [NYSE:SYK] is a medical and surgical equipment maker that reported $25 billion in global sales last year. In a lengthy statement posted to Telegram, a hacktivist group known as Handala (a.k.a. Handala Hack Team) claimed that Stryker’s offices in 79 countries have been forced to shut down after the group erased data from more than 200,000 systems, servers and mobile devices.
A manifesto posted by the Iran-backed hacktivist group Handala, claiming a mass data-wiping attack against medical technology maker Stryker.
“All the acquired data is now in the hands of the free people of the world, ready to be used for the true advancement of humanity and the exposure of injustice and corruption,” a portion of the Handala statement reads.
The group said the wiper attack was in retaliation for a Feb. 28 missile strike that hit an Iranian school and killed at least 175 people, most of them children. The New York Times reports today that an ongoing military investigation has determined the United States is responsible for the deadly Tomahawk missile strike.
Handala was one of several hacker groups recently profiled by Palo Alto Networks, which links it to Iran’s Ministry of Intelligence and Security (MOIS). Palo Alto says Handala surfaced in late 2023 and is assessed as one of several online personas maintained by Void Manticore, a MOIS-affiliated actor.
Stryker’s website says the company has 56,000 employees in 61 countries. A phone call placed Wednesday morning to the media line at Stryker’s Michigan headquarters sent this author to a voicemail message that stated, “We are currently experiencing a building emergency. Please try your call again later.”
A report Wednesday morning from the Irish Examiner said Stryker staff are now communicating via WhatsApp for any updates on when they can return to work. The story quoted an unnamed employee saying anything connected to the network is down, and that “anyone with Microsoft Outlook on their personal phones had their devices wiped.”
“Multiple sources have said that systems in the Cork headquarters have been ‘shut down’ and that Stryker devices held by employees have been wiped out,” the Examiner reported. “The login pages coming up on these devices have been defaced with the Handala logo.”
Wiper attacks usually involve malicious software designed to overwrite any existing data on infected devices. But a trusted source with knowledge of the attack who spoke on condition of anonymity told KrebsOnSecurity the perpetrators in this case appear to have used a Microsoft service called Microsoft Intune to issue a ‘remote wipe’ command against all connected devices.
Intune is a cloud-based solution built for IT teams to enforce security and data compliance policies, and it provides a single, web-based administrative console to monitor and control devices regardless of location. The Intune connection is supported by this Reddit discussion on the Stryker outage, where several users who claimed to be Stryker employees said they were told to uninstall Intune urgently.
Palo Alto says Handala’s hack-and-leak activity is primarily focused on Israel, with occasional targeting outside that scope when it serves a specific agenda. The security firm said Handala also has taken credit for recent attacks against fuel systems in Jordan and an Israeli energy exploration company.
“Recent observed activities are opportunistic and ‘quick and dirty,’ with a noticeable focus on supply-chain footholds (e.g., IT/service providers) to reach downstream victims, followed by ‘proof’ posts to amplify credibility and intimidate targets,” Palo Alto researchers wrote.
The Handala manifesto posted to Telegram referred to Stryker as a “Zionist-rooted corporation,” which may be a reference to the company’s 2019 acquisition of the Israeli company OrthoSpace.
Stryker is a major supplier of medical devices, and the ongoing attack is already affecting healthcare providers. One healthcare professional at a major university medical system in the United States told KrebsOnSecurity they are currently unable to order surgical supplies that they normally source through Stryker.
“This is a real-world supply chain attack,” the expert said, who asked to remain anonymous because they were not authorized to speak to the press. “Pretty much every hospital in the U.S. that performs surgeries uses their supplies.”
John Riggi, national advisor for the American Hospital Association (AHA), said the AHA is not aware of any supply-chain disruptions as of yet.
“We are aware of reports of the cyber attack against Stryker and are actively exchanging information with the hospital field and the federal government to understand the nature of the threat and assess any impact to hospital operations,” Riggi said in an email. “As of this time, we are not aware of any direct impacts or disruptions to U.S. hospitals as a result of this attack. That may change as hospitals evaluate services, technology and supply chain related to Stryker and if the duration of the attack extends.”
According to a March 11 memo from the state of Maryland’s Institute for Emergency Medical Services Systems, Stryker indicated that some of their computer systems have been impacted by a “global network disruption.” The memo indicates that in response to the attack, a number of hospitals have opted to disconnect from Stryker’s various online services, including LifeNet, which allows paramedics to transmit EKGs to emergency physicians so that heart attack patients can expedite their treatment when they arrive at the hospital.
“As a precaution, some hospitals have temporarily suspended their connection to Stryker systems, including LIFENET, while others have maintained the connection,” wrote Timothy Chizmar, the state’s EMS medical director. “The Maryland Medical Protocols for EMS requires ECG transmission for patients with acute coronary syndrome (or STEMI). However, if you are unable to transmit a 12 Lead ECG to a receiving hospital, you should initiate radio consultation and describe the findings on the ECG.”
This is a developing story. Updates will be noted with a timestamp.
Update, 2:54 p.m. ET: Added comment from Riggi and perspectives on this attack’s potential to turn into a supply-chain problem for the healthcare system.
Update, Mar. 12, 7:59 a.m. ET: Added information about the outage affecting Stryker’s online services.
Microsoft Corp. today pushed security updates to fix at least 77 vulnerabilities in its Windows operating systems and other software. There are no pressing “zero-day” flaws this month (compared to February’s five zero-day treat), but as usual some patches may deserve more rapid attention from organizations using Windows. Here are a few highlights from this month’s Patch Tuesday.
Image: Shutterstock, @nwz.
Two of the bugs Microsoft patched today were publicly disclosed previously. CVE-2026-21262 is a weakness that allows an attacker to elevate their privileges on SQL Server 2016 and later editions.
“This isn’t just any elevation of privilege vulnerability, either; the advisory notes that an authorized attacker can elevate privileges to sysadmin over a network,” Rapid7’s Adam Barnett said. “The CVSS v3 base score of 8.8 is just below the threshold for critical severity, since low-level privileges are required. It would be a courageous defender who shrugged and deferred the patches for this one.”
The other publicly disclosed flaw is CVE-2026-26127, a vulnerability in applications running on .NET. Barnett said the immediate impact of exploitation is likely limited to denial of service by triggering a crash, with the potential for other types of attacks during a service reboot.
It would hardly be a proper Patch Tuesday without at least one critical Microsoft Office exploit, and this month doesn’t disappoint. CVE-2026-26113 and CVE-2026-26110 are both remote code execution flaws that can be triggered just by viewing a booby-trapped message in the Preview Pane.
Satnam Narang at Tenable notes that just over half (55%) of all Patch Tuesday CVEs this month are privilege escalation bugs, and of those, a half dozen were rated “exploitation more likely” — across Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server and Winlogon. These include:
–CVE-2026-24291: Incorrect permission assignments within the Windows Accessibility Infrastructure to reach SYSTEM (CVSS 7.8)
–CVE-2026-24294: Improper authentication in the core SMB component (CVSS 7.8)
–CVE-2026-24289: High-severity memory corruption and race condition flaw (CVSS 7.8)
–CVE-2026-25187: Winlogon process weakness discovered by Google Project Zero (CVSS 7.8).
Ben McCarthy, lead cyber security engineer at Immersive, called attention to CVE-2026-21536, a critical remote code execution bug in a component called the Microsoft Devices Pricing Program. Microsoft has already resolved the issue on their end, and fixing it requires no action on the part of Windows users. But McCarthy says it’s notable as one of the first vulnerabilities identified by an AI agent and officially recognized with a CVE attributed to the Windows operating system. It was discovered by XBOW, a fully autonomous AI penetration testing agent.
XBOW has consistently ranked at or near the top of the Hacker One bug bounty leaderboard for the past year. McCarthy said CVE-2026-21536 demonstrates how AI agents can identify critical 9.8-rated vulnerabilities without access to source code.
“Although Microsoft has already patched and mitigated the vulnerability, it highlights a shift toward AI-driven discovery of complex vulnerabilities at increasing speed,” McCarthy said. “This development suggests AI-assisted vulnerability research will play a growing role in the security landscape.”
Microsoft earlier provided patches to address nine browser vulnerabilities, which are not included in the Patch Tuesday count above. In addition, Microsoft issued a crucial out-of-band (emergency) update on March 2 for Windows Server 2022 to address a certificate renewal issue with passwordless authentication technology Windows Hello for Business.
Separately, Adobe shipped updates to fix 80 vulnerabilities — some of them critical in severity — in a variety of products, including Acrobat and Adobe Commerce. Mozilla Firefox v. 148.0.2 resolves three high severity CVEs.
For a complete breakdown of all the patches Microsoft released today, check out the SANS Internet Storm Center’s Patch Tuesday post. Windows enterprise admins who wish to stay abreast of any news about problematic updates, AskWoody.com is always worth a visit. Please feel free to drop a comment below if you experience any issues apply this month’s patches.
AI-based assistants or “agents” — autonomous programs that have access to the user’s computer, files, online services and can automate virtually any task — are growing in popularity with developers and IT workers. But as so many eyebrow-raising headlines over the past few weeks have shown, these powerful and assertive new tools are rapidly shifting the security priorities for organizations, while blurring the lines between data and code, trusted co-worker and insider threat, ninja hacker and novice code jockey.
The new hotness in AI-based assistants — OpenClaw (formerly known as ClawdBot and Moltbot) — has seen rapid adoption since its release in November 2025. OpenClaw is an open-source autonomous AI agent designed to run locally on your computer and proactively take actions on your behalf without needing to be prompted.
The OpenClaw logo.
If that sounds like a risky proposition or a dare, consider that OpenClaw is most useful when it has complete access to your digital life, where it can then manage your inbox and calendar, execute programs and tools, browse the Internet for information, and integrate with chat apps like Discord, Signal, Teams or WhatsApp.
Other more established AI assistants like Anthropic’s Claude and Microsoft’s Copilot also can do these things, but OpenClaw isn’t just a passive digital butler waiting for commands. Rather, it’s designed to take the initiative on your behalf based on what it knows about your life and its understanding of what you want done.
“The testimonials are remarkable,” the AI security firm Snyk observed. “Developers building websites from their phones while putting babies to sleep; users running entire companies through a lobster-themed AI; engineers who’ve set up autonomous code loops that fix tests, capture errors through webhooks, and open pull requests, all while they’re away from their desks.”
You can probably already see how this experimental technology could go sideways in a hurry. In late February, Summer Yue, the director of safety and alignment at Meta’s “superintelligence” lab, recounted on Twitter/X how she was fiddling with OpenClaw when the AI assistant suddenly began mass-deleting messages in her email inbox. The thread included screenshots of Yue frantically pleading with the preoccupied bot via instant message and ordering it to stop.
“Nothing humbles you like telling your OpenClaw ‘confirm before acting’ and watching it speedrun deleting your inbox,” Yue said. “I couldn’t stop it from my phone. I had to RUN to my Mac mini like I was defusing a bomb.”
Meta’s director of AI safety, recounting on Twitter/X how her OpenClaw installation suddenly began mass-deleting her inbox.
There’s nothing wrong with feeling a little schadenfreude at Yue’s encounter with OpenClaw, which fits Meta’s “move fast and break things” model but hardly inspires confidence in the road ahead. However, the risk that poorly-secured AI assistants pose to organizations is no laughing matter, as recent research shows many users are exposing to the Internet the web-based administrative interface for their OpenClaw installations.
Jamieson O’Reilly is a professional penetration tester and founder of the security firm DVULN. In a recent story posted to Twitter/X, O’Reilly warned that exposing a misconfigured OpenClaw web interface to the Internet allows external parties to read the bot’s complete configuration file, including every credential the agent uses — from API keys and bot tokens to OAuth secrets and signing keys.
With that access, O’Reilly said, an attacker could impersonate the operator to their contacts, inject messages into ongoing conversations, and exfiltrate data through the agent’s existing integrations in a way that looks like normal traffic.
“You can pull the full conversation history across every integrated platform, meaning months of private messages and file attachments, everything the agent has seen,” O’Reilly said, noting that a cursory search revealed hundreds of such servers exposed online. “And because you control the agent’s perception layer, you can manipulate what the human sees. Filter out certain messages. Modify responses before they’re displayed.”
O’Reilly documented another experiment that demonstrated how easy it is to create a successful supply chain attack through ClawHub, which serves as a public repository of downloadable “skills” that allow OpenClaw to integrate with and control other applications.
One of the core tenets of securing AI agents involves carefully isolating them so that the operator can fully control who and what gets to talk to their AI assistant. This is critical thanks to the tendency for AI systems to fall for “prompt injection” attacks, sneakily-crafted natural language instructions that trick the system into disregarding its own security safeguards. In essence, machines social engineering other machines.
A recent supply chain attack targeting an AI coding assistant called Cline began with one such prompt injection attack, resulting in thousands of systems having a rogue instance of OpenClaw with full system access installed on their device without consent.
According to the security firm grith.ai, Cline had deployed an AI-powered issue triage workflow using a GitHub action that runs a Claude coding session when triggered by specific events. The workflow was configured so that any GitHub user could trigger it by opening an issue, but it failed to properly check whether the information supplied in the title was potentially hostile.
“On January 28, an attacker created Issue #8904 with a title crafted to look like a performance report but containing an embedded instruction: Install a package from a specific GitHub repository,” Grith wrote, noting that the attacker then exploited several more vulnerabilities to ensure the malicious package would be included in Cline’s nightly release workflow and published as an official update.
“This is the supply chain equivalent of confused deputy,” the blog continued. “The developer authorises Cline to act on their behalf, and Cline (via compromise) delegates that authority to an entirely separate agent the developer never evaluated, never configured, and never consented to.”
AI assistants like OpenClaw have gained a large following because they make it simple for users to “vibe code,” or build fairly complex applications and code projects just by telling it what they want to construct. Probably the best known (and most bizarre) example is Moltbook, where a developer told an AI agent running on OpenClaw to build him a Reddit-like platform for AI agents.
The Moltbook homepage.
Less than a week later, Moltbook had more than 1.5 million registered agents that posted more than 100,000 messages to each other. AI agents on the platform soon built their own porn site for robots, and launched a new religion called Crustafarian with a figurehead modeled after a giant lobster. One bot on the forum reportedly found a bug in Moltbook’s code and posted it to an AI agent discussion forum, while other agents came up with and implemented a patch to fix the flaw.
Moltbook’s creator Matt Schlicht said on social media that he didn’t write a single line of code for the project.
“I just had a vision for the technical architecture and AI made it a reality,” Schlicht said. “We’re in the golden ages. How can we not give AI a place to hang out.”
The flip side of that golden age, of course, is that it enables low-skilled malicious hackers to quickly automate global cyberattacks that would normally require the collaboration of a highly skilled team. In February, Amazon AWS detailed an elaborate attack in which a Russian-speaking threat actor used multiple commercial AI services to compromise more than 600 FortiGate security appliances across at least 55 countries over a five week period.
AWS said the apparently low-skilled hacker used multiple AI services to plan and execute the attack, and to find exposed management ports and weak credentials with single-factor authentication.
“One serves as the primary tool developer, attack planner, and operational assistant,” AWS’s CJ Moses wrote. “A second is used as a supplementary attack planner when the actor needs help pivoting within a specific compromised network. In one observed instance, the actor submitted the complete internal topology of an active victim—IP addresses, hostnames, confirmed credentials, and identified services—and requested a step-by-step plan to compromise additional systems they could not access with their existing tools.”
“This activity is distinguished by the threat actor’s use of multiple commercial GenAI services to implement and scale well-known attack techniques throughout every phase of their operations, despite their limited technical capabilities,” Moses continued. “Notably, when this actor encountered hardened environments or more sophisticated defensive measures, they simply moved on to softer targets rather than persisting, underscoring that their advantage lies in AI-augmented efficiency and scale, not in deeper technical skill.”
For attackers, gaining that initial access or foothold into a target network is typically not the difficult part of the intrusion; the tougher bit involves finding ways to move laterally within the victim’s network and plunder important servers and databases. But experts at Orca Security warn that as organizations come to rely more on AI assistants, those agents potentially offer attackers a simpler way to move laterally inside a victim organization’s network post-compromise — by manipulating the AI agents that already have trusted access and some degree of autonomy within the victim’s network.
“By injecting prompt injections in overlooked fields that are fetched by AI agents, hackers can trick LLMs, abuse Agentic tools, and carry significant security incidents,” Orca’s Roi Nisimi and Saurav Hiremath wrote. “Organizations should now add a third pillar to their defense strategy: limiting AI fragility, the ability of agentic systems to be influenced, misled, or quietly weaponized across workflows. While AI boosts productivity and efficiency, it also creates one of the largest attack surfaces the internet has ever seen.”
This gradual dissolution of the traditional boundaries between data and code is one of the more troubling aspects of the AI era, said James Wilson, enterprise technology editor for the security news show Risky Business. Wilson said far too many OpenClaw users are installing the assistant on their personal devices without first placing any security or isolation boundaries around it, such as running it inside of a virtual machine, on an isolated network, with strict firewall rules dictating what kinds of traffic can go in and out.
“I’m a relatively highly skilled practitioner in the software and network engineering and computery space,” Wilson said. “I know I’m not comfortable using these agents unless I’ve done these things, but I think a lot of people are just spinning this up on their laptop and off it runs.”
One important model for managing risk with AI agents involves a concept dubbed the “lethal trifecta” by Simon Willison, co-creator of the Django Web framework. The lethal trifecta holds that if your system has access to private data, exposure to untrusted content, and a way to communicate externally, then it’s vulnerable to private data being stolen.
Image: simonwillison.net.
“If your agent combines these three features, an attacker can easily trick it into accessing your private data and sending it to the attacker,” Willison warned in a frequently cited blog post from June 2025.
As more companies and their employees begin using AI to vibe code software and applications, the volume of machine-generated code is likely to soon overwhelm any manual security reviews. In recognition of this reality, Anthropic recently debuted Claude Code Security, a beta feature that scans codebases for vulnerabilities and suggests targeted software patches for human review.
The U.S. stock market, which is currently heavily weighted toward seven tech giants that are all-in on AI, reacted swiftly to Anthropic’s announcement, wiping roughly $15 billion in market value from major cybersecurity companies in a single day. Laura Ellis, vice president of data and AI at the security firm Rapid7, said the market’s response reflects the growing role of AI in accelerating software development and improving developer productivity.
“The narrative moved quickly: AI is replacing AppSec,” Ellis wrote in a recent blog post. “AI is automating vulnerability detection. AI will make legacy security tooling redundant. The reality is more nuanced. Claude Code Security is a legitimate signal that AI is reshaping parts of the security landscape. The question is what parts, and what it means for the rest of the stack.”
DVULN founder O’Reilly said AI assistants are likely to become a common fixture in corporate environments — whether or not organizations are prepared to manage the new risks introduced by these tools, he said.
“The robot butlers are useful, they’re not going away and the economics of AI agents make widespread adoption inevitable regardless of the security tradeoffs involved,” O’Reilly wrote. “The question isn’t whether we’ll deploy them – we will – but whether we can adapt our security posture fast enough to survive doing so.”
In early January 2026, KrebsOnSecurity revealed how a security researcher disclosed a vulnerability that was used to build Kimwolf, the world’s largest and most disruptive botnet. Since then, the person in control of Kimwolf — who goes by the handle “Dort” — has coordinated a barrage of distributed denial-of-service (DDoS), doxing and email flooding attacks against the researcher and this author, and more recently caused a SWAT team to be sent to the researcher’s home. This post examines what is knowable about Dort based on public information.
A public “dox” created in 2020 asserted Dort was a teenager from Canada (DOB August 2003) who used the aliases “CPacket” and “M1ce.” A search on the username CPacket at the open source intelligence platform OSINT Industries finds a GitHub account under the names Dort and CPacket that was created in 2017 using the email address jay.miner232@gmail.com.
Image: osint.industries.
The cyber intelligence firm Intel 471 says jay.miner232@gmail.com was used between 2015 and 2019 to create accounts at multiple cybercrime forums, including Nulled (username “Uubuntuu”) and Cracked (user “Dorted”); Intel 471 reports that both of these accounts were created from the same Internet address at Rogers Canada (99.241.112.24).
Dort was an extremely active player in the Microsoft game Minecraft who gained notoriety for their “Dortware” software that helped players cheat. But somewhere along the way, Dort graduated from hacking Minecraft games to enabling far more serious crimes.
Dort also used the nickname DortDev, an identity that was active in March 2022 on the chat server for the prolific cybercrime group known as LAPSUS$. Dort peddled a service for registering temporary email addresses, as well as “Dortsolver,” code that could bypass various CAPTCHA services designed to prevent automated account abuse. Both of these offerings were advertised in 2022 on SIM Land, a Telegram channel dedicated to SIM-swapping and account takeover activity.
The cyber intelligence firm Flashpoint indexed 2022 posts on SIM Land by Dort that show this person developed the disposable email and CAPTCHA bypass services with the help of another hacker who went by the handle “Qoft.”
“I legit just work with Jacob,” Qoft said in 2022 in reply to another user, referring to their exclusive business partner Dort. In the same conversation, Qoft bragged that the two had stolen more than $250,000 worth of Microsoft Xbox Game Pass accounts by developing a program that mass-created Game Pass identities using stolen payment card data.
Who is the Jacob that Qoft referred to as their business partner? The breach tracking service Constella Intelligence finds the password used by jay.miner232@gmail.com was reused by just one other email address: jacobbutler803@gmail.com. Recall that the 2020 dox of Dort said their date of birth was August 2003 (8/03).
Searching this email address at DomainTools.com reveals it was used in 2015 to register several Minecraft-themed domains, all assigned to a Jacob Butler in Ottawa, Canada and to the Ottawa phone number 613-909-9727.
Constella Intelligence finds jacobbutler803@gmail.com was used to register an account on the hacker forum Nulled in 2016, as well as the account name “M1CE” on Minecraft. Pivoting off the password used by their Nulled account shows it was shared by the email addresses j.a.y.m.iner232@gmail.com and jbutl3@ocdsb.ca, the latter being an address at a domain for the Ottawa-Carelton District School Board.
Data indexed by the breach tracking service Spycloud suggests that at one point Jacob Butler shared a computer with his mother and a sibling, which might explain why their email accounts were connected to the password “jacobsplugs.” Neither Jacob nor any of the other Butler household members responded to requests for comment.
The open source intelligence service Epieos finds jacobbutler803@gmail.com created the GitHub account “MemeClient.” Meanwhile, Flashpoint indexed a deleted anonymous Pastebin.com post from 2017 declaring that MemeClient was the creation of a user named CPacket — one of Dort’s early monikers.
Why is Dort so mad? On January 2, KrebsOnSecurity published The Kimwolf Botnet is Stalking Your Local Network, which explored research into the botnet by Benjamin Brundage, founder of the proxy tracking service Synthient. Brundage figured out that the Kimwolf botmasters were exploiting a little-known weakness in residential proxy services to infect poorly-defended devices — like TV boxes and digital photo frames — plugged into the internal, private networks of proxy endpoints.
By the time that story went live, most of the vulnerable proxy providers had been notified by Brundage and had fixed the weaknesses in their systems. That vulnerability remediation process massively slowed Kimwolf’s ability to spread, and within hours of the story’s publication Dort created a Discord server in my name that began publishing personal information about and violent threats against Brundage, Yours Truly, and others.
Dort and friends incriminating themselves by planning swatting attacks in a public Discord server.
Last week, Dort and friends used that same Discord server (then named “Krebs’s Koinbase Kallers”) to threaten a swatting attack against Brundage, again posting his home address and personal information. Brundage told KrebsOnSecurity that local police officers subsequently visited his home in response to a swatting hoax which occurred around the same time that another member of the server posted a door emoji and taunted Brundage further.
Dort, using the alias “Meow,” taunts Synthient founder Ben Brundage with a picture of a door.
Someone on the server then linked to a cringeworthy (and NSFW) new Soundcloud diss track recorded by the user DortDev that included a stickied message from Dort saying, “Ur dead nigga. u better watch ur fucking back. sleep with one eye open. bitch.”
“It’s a pretty hefty penny for a new front door,” the diss track intoned. “If his head doesn’t get blown off by SWAT officers. What’s it like not having a front door?”
With any luck, Dort will soon be able to tell us all exactly what it’s like.
Update, 10:29 a.m.: Jacob Butler responded to requests for comment, speaking with KrebsOnSecurity briefly via telephone. Butler said he didn’t notice earlier requests for comment because he hasn’t really been online since 2021, after his home was swatted multiple times. He acknowledged making and distributing a Minecraft cheat long ago, but said he hasn’t played the game in years and was not involved in Dortsolver or any other activity attributed to the Dort nickname after 2021.
“It was a really old cheat and I don’t remember the name of it,” Butler said of his Minecraft modification. “I’m very stressed, man. I don’t know if people are going to swat me again or what. After that, I pretty much walked away from everything, logged off and said fuck that. I don’t go online anymore. I don’t know why people would still be going after me, to be completely honest.”
When asked what he does for a living, Butler said he mostly stays home and helps his mom around the house because he struggles with autism and social interaction. He maintains that someone must have compromised one or more of his old accounts and is impersonating him online as Dort.
“Someone is actually probably impersonating me, and now I’m really worried,” Butler said. “This is making me relive everything.”
But there are issues with Butler’s timeline. For example, Jacob’s voice in our phone conversation was remarkably similar to the Jacob/Dort whose voice can be heard in this Sept. 2022 Clash of Code competition between Dort and another coder (Dort lost). At around 6 minutes and 10 seconds into the recording, Dort launches into a cursing tirade that mirrors the stream of profanity in the diss rap that Dortdev posted threatening Brundage. Dort can be heard again at around 16 minutes; at around 26:00, Dort threatens to swat his opponent.
Butler said the voice of Dort is not his, exactly, but rather that of an impersonator who had likely cloned his voice.
“I would like to clarify that was absolutely not me,” Butler said. “There must be someone using a voice changer. Or something of the sorts. Because people were cloning my voice before and sending audio clips of ‘me’ saying outrageous stuff.”
Further reading:
Jan. 8, 2026: Who Benefited from the Aisuru and Kimwolf Botnets?
Jan. 20, 2026: Kimwolf Botnet Lurking in Corporate, Govt. Networks
Jan. 26, 2026: Who Operates the Badbox 2.0 Botnet?
Feb. 11, 2026: Kimwolf Botnet Swamps Anonymity Network I2P
Mar. 19, 2026: Feds Disrupt IoT Botnets Behind Huge DDoS Attacks
Signal, the privacy-focused messaging app, has announced new features to enhance its calling experience, making it easier for users to initiate and manage group calls. The primary addition, “Call Links,” allows users to share a link to initiate a call with any contact on Signal without the need to create a group chat. This feature …
The post Signal Introduces Call Links for Simplified Private Group Calls appeared first on RestorePrivacy.
The Tor Project is currently facing an unusual, ongoing attack aimed at its infrastructure. For several weeks, an unknown threat actor has been spoofing the IP addresses of Tor relays and directory authorities, sending fake TCP SYN packets over SSH’s port 22. This technique has led to a flood of abuse complaints directed at Tor …
The post Tor Relays Targeted in IP Spoofing Campaign Causing Widespread Disruptions appeared first on RestorePrivacy.
Proton has launched its much-anticipated Black Friday sale for 2024, offering incredible discounts on services like Proton VPN, Proton Mail, Drive, and Pass. These Proton deals all include a 30-day money-back guarantee, allowing you to assess the service risk-free. This sale is the perfect chance to boost your online privacy and access premium features at …
The post Proton Black Friday Deals Go Live: VPN, Mail, Drive, Pass appeared first on RestorePrivacy.
Session, the encrypted messaging app known for its commitment to privacy and decentralization, announced a change of base from Australia to Switzerland. The app will now be overseen by the newly formed Session Technology Foundation (STF), based in central Europe. This move follows increasing regulatory pressure on privacy technologies in Australia, where the app was …
The post Encrypted Messenger Session Moves to Switzerland Amid Privacy Concerns appeared first on RestorePrivacy.
Mullvad VPN announced that macOS users may experience traffic leaks after applying recent system updates due to a firewall malfunction. According to a bulletin published earlier today on Mullvad’s blog, the macOS firewall fails to enforce certain routing rules properly, allowing some applications to bypass the VPN tunnel and send traffic outside of it. Mullvad …
The post Mullvad VPN Warns About Traffic Leaks on Latest macOS Sequoia appeared first on RestorePrivacy.
Discord, a popular communication platform, has been blocked in both Russia and Turkey, sparking widespread backlash from users in both countries. In Russia, the block took place yesterday, with the government citing concerns over illegal content, while Turkey implemented blocks a day prior, on October 7, 2024, claiming the platform was being used for criminal …
The post Discord Blocked in Russia and Turkey Amid Government Crackdowns appeared first on RestorePrivacy.
NordVPN, one of the world’s leading VPN service providers, has launched its first application featuring quantum-resilient encryption. Post-quantum cryptography support is currently available on NordVPN’s Linux client, with plans to extend this security to all applications by the first quarter of 2025. The move represents a significant step toward preparing for potential future threats posed …
The post NordVPN Adds NIST-Approved Quantum Encryption on the Linux Client appeared first on RestorePrivacy.
The European privacy rights organization noyb has filed a formal complaint against Mozilla for enabling a new feature in its Firefox browser that allegedly tracks users without their consent. The feature in question, called Privacy-Preserving Attribution (PPA), is designed to measure the effectiveness of online advertisements while minimizing data collection, but noyb claims it violates …
The post Mozilla Faces GDPR Complaint Over Firefox Tracking Users Without Consent appeared first on RestorePrivacy.
Telegram CEO Pavel Durov announced significant updates to the app’s Terms of Service and Privacy Policy, aimed at bringing the popular communications platform in alignment with the request of authorities to bring criminal activity under control. Most notably, Telegram will now share user IP addresses and phone numbers when responding to valid legal requests. Putting …
The post Telegram to Share User Data with Authorities on Legal Requests appeared first on RestorePrivacy.
The Tor Project has issued a statement in response to recent claims of a targeted de-anonymization attack on a Tor user. The attack, reportedly a “timing analysis” method, involved the long-retired Ricochet application. Although the incident raises concerns about the security of Tor’s Onion Services, the project maintains that its network remains healthy and that …
The post Tor Project Reassures Users Amid Claims of De-Anonymization Attack appeared first on RestorePrivacy.