Convince an AI browser that it is playing a game, and it can hand over your login details. That is the finding behind BioShocking, a technique from security firm LayerX that tricked six AI...
Key points LevelBlue has identified two distinct attack vectors associated with ValleyRAT: campaigns leveraging fake installers and campaigns initiated through malicious emails. The malicious...
The Washington Department of Social and Health Services (DSHS) is issuing a notice of a massive data breach that happened in March, potentially compromising the personal data of around 8,600...
Critical and high-severity vulnerabilities in some Daktronics controllers could allow hackers to tamper with highway signs and billboards, according to the cybersecurity researcher who discovered...
Vulnerabilities in remote monitoring and management (RMM) tools can give attackers a direct path into enterprise environments, often with the same trusted access that IT administrators rely on to...
The UK’s healthcare sector is being “stress-tested to breaking point,” with a tenfold increase in attacks during January-May 2026 compared to the whole of 2025, according to SonicWall. The...
The U.S. Department of Justice (DOJ) has seized nearly 400 internet domains that were illegally streaming FIFA World Cup 2026 matches. The operation, known as Operation Offsides, targeted websites...
The National Telecommunications and Information Administration (NTIA) has yet to implement most of the Government Accountability Office’s (GAO) priority recommendations for improving the agency’s...
A passenger jet reported striking a drone while approaching JFK International Airport on Monday, and just hours later, a helicopter pilot alerted a close call with a remote-control airplane near...
Russian cybercriminals managed to hack into a Quebec municipality’s water treatment plant systems and had the ability to wreak havoc on the crucial infrastructure before getting caught, according...
A critical vulnerability in Progress Kemp LoadMaster can let an unauthenticated attacker execute arbitrary commands as root on the appliance by sending a crafted request to its API. The flaw,...
CERT Polska has received a report about 3 vulnerabilities (from CVE-2026-53690 to CVE-2026-53692) found in Redeight CMS software.
On December 20, 2025, the China National Nuclear Corporation (CNNC) announced that Chaotan One, the world’s first commercial supercritical carbon dioxide power generator, began commercial...
Apple on Monday released security updates for iOS, macOS, and the Safari web browser to address over three dozen flaws, including four vulnerabilities in WebKit that were discovered using...
The Supreme Court on Monday said that police must generally obtain a warrant to gather detailed location data tracked by smartphones, in a case that brings into sharper relief the Constitution’s...
SimpleHelp security advisory (AV26-642)
The Financial Times has a good article on how AI is changing the capabilities of video surveillance, with information from both Israel/Iran and Russia. I wrote about this sort of thing a few years...
SQL Injection vulnerability (CVE-2026-12076) has been found in Raytha CMS software.
A critical security flaw impacting Oracle E-Business Suite has come under active exploitation in the wild, according to Defused Cyber. The vulnerability, tracked as CVE-2026-46817 (CVSS score:...
An in-depth analysis of Umbrij, a new tool used by the ToddyCat APT group to compromise corporate email communications in Gmail. The attack targeted OAuth authorization tokens, allowing threat...
Bring Your Own Vulnerable Driver (BYOVD) has gone from a niche tactic to a standard part of the ransomware playbook and Windows' own kernel hardening does little to stop it.
From outsourced labor to tiered pricing models, an inside look at how today's top ransomware threats operate less like rogue hackers and more like Fortune 500 companies. The post How ransomware...
CISA’s BOD 26-04 changes how federal agencies patch and how security leaders must measure, justify, and communicate cyber risk to executives and boards.Key takeawaysBOD 26-04 requires agencies to...
Allows ISVs to put their names on the door so desirable bots always get in
Open API leaked everything an attacker needs to impersonate bank officials
If you want a picture of the future of LLM security, imagine Whac-a-Mole meets Groundhog Day
Microsoft has found a malicious Chrome extension that posed as the AI search engine Perplexity and quietly logged what people searched for. It routed every query and every character typed into the...
At least two vulnerabilities are already under attack
Hundreds of contractors working on a project for Meta pretended to be kids—and then prompted rival chatbots like Gemini and ChatGPT to discuss high-risk subjects.