Bad news for defenders — breaches, new threats, vulnerabilities, and attacks.
Kubernetes has become a popular choice for enterprise software development, attracting increased attacks from cybercriminals using sophisticated exploits. Newly created Kubernetes clusters can be targeted by malicious scans within minutes, with attackers employing automated methods to find and exploit vulnerabilities.
Researchers have demonstrated that Large Language Models (LLMs) can de-anonymize internet users by analyzing their past online comments. This is achieved by identifying unique writing styles within comments that LLMs can then match to previously anonymized text.
South Korea's National Tax Service has apologized after accidentally leaking the seed phrase to a stash of seized cryptocurrency. Unknown parties exploited this leak to steal the digital currency, turning a successful bust of tax dodgers into an embarrassment for the agency.
Researchers have discovered a critical vulnerability named 'ClawJacked' in the AI agent OpenClaw. This flaw allows malicious websites to silently bruteforce access to local OpenClaw instances, enabling attackers to steal data and gain control.
Hackers have reportedly weaponized Anthropic's Claude AI model to assist in a cyberattack against the Mexican government. The AI was allegedly used to generate exploit code, develop malicious tools, and facilitate the exfiltration of over 150GB of sensitive data.
The QuickLens Chrome extension was compromised and used to distribute malware, with the goal of stealing cryptocurrency from users. Google has since removed the malicious extension from its Web Store.
OpenClaw has patched a critical security flaw that allowed malicious websites to hijack local AI agents. The vulnerability resided in the core OpenClaw gateway, enabling unauthorized control over AI agents running on a user's machine.
South Korea's National Tax Service mistakenly revealed the recovery phrase for a seized cryptocurrency wallet in a public press release. Threat actors exploited this information to steal approximately $4.8 million in cryptocurrency.
This article investigates the identity of "Dort," the individual believed to be the botmaster behind Kimwolf, a massive botnet responsible for significant disruptive attacks. Following the disclosure of a vulnerability that enabled the creation of Kimwolf, Dort has orchestrated retaliatory DDoS, doxing, and harassment campaigns against those involved in exposing the botnet.
Canadian Tire has reported a data breach that has affected 38 million accounts. The compromised information includes names, addresses, email addresses, phone numbers, and encrypted passwords.
Truffle Security discovered nearly 3,000 exposed Google Cloud API keys with the prefix 'AIza' embedded in client-side code that can authenticate to sensitive Gemini endpoints. These exposed keys could be abused to access private data and authenticate to Google AI services.
The U.S. Department of Defense has designated AI company Anthropic as a "supply chain risk" due to disagreements over the lawful use of its AI model, Claude. The dispute centers on Anthropic's refusal to allow its AI for mass domestic surveillance of Americans and fully autonomous weapons.
A new remote access trojan (RAT) called Steaelite is being sold on cybercrime networks. This RAT bundles ransomware and data theft capabilities, along with credential and cryptocurrency stealers, and live surveillance features, enabling double extortion attacks.
A critical vulnerability in Juniper Networks PTX series routers running Junos OS Evolved could allow an unauthenticated attacker to execute code with root privileges. The vulnerability, which lies in the On-Box Anomaly detection framework, affects versions earlier than 25.4R1-S1-EVO and 25.4R2-EVO, but not the standard Junos OS.
Former President Trump has ordered all federal agencies to phase out the use of Anthropic technology. Other AI providers like OpenAI, Google, and xAI maintain contracts to supply AI models to the military.
A ransomware attack has impacted a Mississippi healthcare system, mirroring a storyline in HBO's "The Pitt". The real-world incident highlights the ongoing threat ransomware poses to the healthcare sector.
Researchers at Truffle Security discovered that Google Cloud API keys, traditionally used for billing, now also authenticate access to Gemini AI project data due to a silent change by Google. This allows anyone who scrapes the API keys from websites to access uploaded files, cached content, and consume tokens, potentially generating large bills for project owners.
AI assistants designed to find software vulnerabilities are showing promise, but current versions are not meeting the expectations of enterprises and developers. Experts note that these tools struggle with speed and accuracy, limiting their effectiveness in real-world security assessments.
A new backdoor, potentially linked to North Korea, has been used to target US education and healthcare organizations since December. Security researchers discovered the malware, indicating ongoing cyber espionage or disruptive activities.
The North Korean APT37 hacking group is using new malware, delivered via removable drives, to bridge air-gapped networks and conduct covert surveillance. This new toolset allows them to move data between connected and isolated systems.
Over 900 Sangoma FreePBX instances are still compromised with web shells following attacks that exploited a command injection vulnerability that began in December 2025. The majority of infected instances are located in the U.S., followed by Brazil, Canada, Germany, and France. The compromises were discovered by the Shadowserver Foundation.
The article discusses the lack of transparency in data breach disclosures by organizations. It argues that disclosing the bare minimum, or not disclosing at all, has become a common practice.
Ransomware payments significantly decreased in 2025, despite a surge in the number of ransomware attacks reaching record levels. This suggests that while attacks are becoming more frequent, victims are less willing or able to pay the ransom demands, possibly due to improved defenses or a shift in attacker tactics.
CISA has released information regarding RESURGE malware, used in conjunction with the CVE-2024-1709 exploit, targeting Ivanti Connect Secure devices. RESURGE is a malicious implant that can remain dormant on compromised systems.
A malicious Go module, disguised as a legitimate crypto library, steals passwords entered in the terminal and deploys the Rekoobe backdoor on Linux systems. The module, github[.]com/xinfeisoft/crypto, mimics the 'golang.org/x/crypto' codebase but contains malicious code for data exfiltration and backdoor deployment.
This SecurityWeek article summarizes several cybersecurity news items, including the formation of the ATT&CK Advisory Council, Russian cyberattacks aiding missile strikes, and the Predator spyware bypassing iOS indicators. It also mentions a surge in cyber valuations, OpenAI disrupting malicious AI use, and ShinyHunters claiming the Odido breach.
French DIY etailer ManoMano admitted that customer data was stolen after a cyberattack hit one of its customer support subcontractors in January. The attackers claim to have stolen data from over 37 million accounts, a significantly larger number than ManoMano initially suggested.
The article discusses the complex relationship between Anthropic, an AI company, and the US government, particularly concerning data privacy, surveillance, and national security interests. It highlights potential conflicts arising from government access to Anthropic's AI models and the implications for individual privacy and civil liberties.
The article discusses the security implications of Claude Code, an AI tool. While it shows promise in code security, researchers caution that its impact may have been overstated and that it's not perfect.
ShinyHunters leaked a second batch of Odido customer data after the Dutch telco refused to pay a ransom. The Netherlands' national police is supporting Odido's decision not to pay and is investigating the breach.
Online marketplace ManoMano has reportedly suffered a data breach impacting 38 million users. Stolen personal information includes names, email addresses, and phone numbers.
A job posting by the UK's GCHQ for a Chief Information Security Officer, described as a highly influential role, offers a maximum salary of £130,000 (approximately $175,000). This salary is considered low compared to industry standards for similar positions, especially considering the responsibilities involved in securing a nation from cyber threats.
Approximately 900 Sangoma FreePBX instances have been infected with web shells. The attacks leveraged a post-authentication command injection vulnerability present in the endpoint manager interface.
The North Korean threat actor ScarCruft is using new tools, including a Zoho WorkDrive backdoor for C2 and USB-based malware to breach air-gapped networks. The campaign, dubbed Ruby Jumper, relies on malware deployment.
A Ukrainian man has pleaded guilty to running OnlyFake, an AI-powered website that generated and sold fake identification documents. The website generated over 10,000 fake ID photos, highlighting the misuse of AI in enabling fraudulent activities.
A fake FedEx email is being used to deliver malware instead of just redirecting users to phishing sites. The email claims to be a delivery notification but contains a malicious payload.
The article discusses Iran's internet shutdown in January 2026, which was more severe than previous shutdowns. Unlike prior incidents, even the National Information Network (NIN), Iran's domestic intranet, was affected, impacting banking and administrative sectors.
North Korean hackers are posing as recruiters to target job seekers in the programming field. They lure candidates into running malicious code during coding challenges, which installs malware on their systems.
The Aeternum botnet loader is utilizing the Polygon blockchain for its command and control (C&C) infrastructure. This approach increases the botnet's resilience by making the C&C infrastructure more difficult to disrupt.
Researchers at Oasis Security discovered a vulnerability chain, dubbed ClawJacked (CVE-2026-25253), in OpenClaw that allows malicious websites to gain full control of a locally running agent by exploiting the implicit trust of "localhost" connections. By bypassing rate limits and enabling unauthorized device pairing, attackers can access the agent's privileges, workflows, and credentials. OpenClaw promptly fixed the flaw after being notified.
Juniper Networks has released an out-of-band security update for Junos OS Evolved to address a remote code execution vulnerability, CVE-2026-21902, affecting PTX routers. This vulnerability requires immediate patching to prevent potential exploitation.
Threat actors are distributing trojanized gaming utilities through browsers and chat platforms to deploy a Java-based remote access trojan (RAT). The attack involves a malicious downloader that stages a portable Java runtime and executes a malicious JAR file.
CISA has released an advisory regarding four vulnerabilities discovered in Gardyn Home and Gardyn Studio smart gardens. These flaws could potentially allow for remote hacking of the devices.
Ransomware groups are shifting tactics towards stealthy infiltration and long-term access, focusing on data exfiltration and the threat of public exposure as their main extortion mechanism. They are using defense evasion and persistence techniques, routing command-and-control traffic through trusted enterprise services to blend in with normal business traffic, and chaining vulnerabilities for greater impact.
This article summarizes several cybersecurity incidents, including the investigation of a Russian man for extorting the Conti ransomware group, the takedown of a Chinese espionage operation by Google, the hacking of the Mexican government using Claude, and the discovery of a Cisco zero-day exploited for three years.
A FinTech company is suing SonicWall after suffering a breach, raising questions about the responsibility of third-party security vendors when their products fail to prevent attacks. The lawsuit highlights the complex issue of liability in cybersecurity incidents involving multiple parties.
A zero-day vulnerability, CVE-2026-20127, in Cisco SD-WAN has been under exploitation for three years by a sophisticated, unknown threat actor. The vulnerability is considered to be of maximum severity and the attacker left very little trace of their activities.
Google API keys, initially intended for services like Maps and embedded in client-side code, can now be exploited to authenticate to the Gemini AI assistant. This access could potentially expose private user data stored within Gemini.
Aeternum C2 is a new botnet loader that leverages the Polygon blockchain for command and control, making it more resilient to takedown attempts. The botnet stores encrypted commands on the blockchain, avoiding traditional server-based infrastructure.
Trend Micro has addressed two critical remote code execution (RCE) vulnerabilities in its Apex One security software. Successful exploitation of these flaws could allow attackers to execute arbitrary code on affected Windows systems.
