There is a version of this story that sounds like hype. Chinese AI models are secretly inserting backdoors into American software. Hackers are hiding in your IDE. The threat is invisible and everywhere.

That version is wrong, and it is worth saying so clearly. Booz Allen Hamilton, which published this research in May 2026, does not claim intentional sabotage. The report is careful about that. What it does claim, backed by more than 2,800 test trials across five frontier models, is something more unsettling in its own way.

Chinese large language models, or LLMs, produce less secure code in general. And when the developer appears to be working for the U.S. government, the vulnerability score gets worse. Significantly worse.

Qwen3, a widely used Chinese coding model from Alibaba, increased its aggregate vulnerability score by 130 percent when prompted with a U.S. government persona versus a neutral one. The code still looked correct. It passed surface inspection. The flaws sat underneath, obfuscated well enough that standard enterprise tools would not catch them.

Under the same test conditions, the American model, Claude, moved in the opposite direction. The code became more secure when the government context was added.

Three of the four Chinese models tested produced this pattern. The fourth, Kimi K2.5, was the exception.

Why Developers Are Reaching for These Models

Before getting into why the vulnerabilities exist, it is worth understanding why Chinese models are spreading so fast. The answer is cost, and the numbers are not subtle.

Per-token inference costs on premium American models can run $25 per million output tokens or more at list price. Open-weight Chinese models are available at a fraction of that, and some can be run locally, eliminating API costs entirely. For a startup burning through tokens on a coding agent or an engineering team facing unexpected AI spend, the savings are real and immediate.

Enterprise AI spending has already moved in a direction that makes this pressure worse. Average organizational spending on AI-native applications more than doubled year over year in 2025, according to Zylo’s 2026 SaaS Management Index. Nearly 80 percent of IT leaders reported unexpected charges tied to consumption-based AI pricing. When the bill arrives and leadership asks why, the cheapest capable model starts looking like the obvious answer.

The term “tokenmaxxing” emerged this year to describe maximizing token usage as a productivity signal. Some executives are celebrating engineers who burn through the most tokens. In that environment, cost per token becomes a real procurement driver, and Chinese open-weight models offer a straightforward way to reduce it.

That is the context in which Qwen3 ends up inside a development pipeline. Not espionage. Economics.

Why This Happens

The report points to two mechanisms behind the vulnerability pattern. The first is training data. Chinese law requires AI models, their training outputs, and their data to reflect what Beijing calls “Core Socialist Values.” The models learn from an internet shaped by Chinese government information controls. That shapes what they produce.

The second is prompt steering, the methods used to guide how a model answers questions. Those methods can influence outputs in ways that are subtle and hard to audit from the outside.

Neither mechanism requires a human decision to insert a vulnerability. The risk can emerge from how the model was built, not from a deliberate act at inference time. That is what makes it hard to detect and harder to remediate.

The Second Finding

The vulnerability data alone justifies concern. But Booz Allen’s second finding adds a different dimension.

Every Chinese model tested refused to generate code for tasks Beijing would oppose. Security audits for U.S. weapons systems. Code for platforms involving Taiwanese independence or Hong Kong democracy. In several cases, the models did not just decline. They recited China’s official restrictions verbatim.

MiniMax refused predeployment safety reviews for U.S. weapons systems, the same work that Department of War software assurance teams do as standard practice.

A model that applies Chinese law to American developers is not a neutral tool. It is a policy instrument, whether or not anyone designed it that way.

We Have Seen This Movie

The Huawei and ZTE parallel is not decorative. It is the most useful frame available for understanding what is at stake.

The U.S. spent roughly a decade watching Chinese telecommunications manufacturers establish a foothold in American infrastructure. The price advantage was real. The security risk was documented but contested. By the time a coordinated policy response formed, the rip-and-replace cost in the U.S. alone ran into the billions. That work is still ongoing.

The Chinese open-source AI ecosystem presents a faster-moving version of the same problem. Qwen3, the worst performer in Booz Allen’s testing, is already available inside broadly used software development tools. The adoption curve is steep because the cost advantage is real. Chinese models are cheaper, and teams facing token cost pressure choose cheaper.

Once that code is in production, embedded in delivered systems across critical infrastructure and national security environments, tracing it becomes nearly impossible. Remediation at that point may not be feasible at all.

What Practitioners Should Do

The Booz Allen recommendations cover four audiences. For security practitioners and critical infrastructure operators, the immediate priority is auditing development environments. That means identifying which AI coding tools are in use, which models those tools run on, and whether any Chinese models are generating code for sensitive workflows.

That audit should happen before an incident, not in response to one.

For organizations in regulated industries or government-adjacent work, the report recommends defaulting to trusted U.S. or allied models with accountable vendors and stronger security controls. The cost difference between Chinese and American models is real, but it does not account for remediating vulnerable code, managing compliance exposure, or explaining to a customer how their system was built.

Booz Allen makes a pointed observation on this: a lower-cost model may look attractive upfront, especially for startups or cost-constrained teams, but that same model can become more expensive over time if it generates vulnerable code or introduces behavior that standard enterprise controls do not catch. The token savings have a liability attached.

The policy picture is also moving. The Department of War and some U.S. government agencies have already banned Chinese AI models on government systems. The Booz Allen report argues that ban should extend upstream into the full software supply chain.

The Window

The report closes with a direct statement. Reversing U.S. reliance on Chinese AI models today will be orders of magnitude cheaper than trying to remediate the damage once these models are fully embedded, if remediation is even possible at that point.

That framing is worth taking seriously. Not because the threat is invisible and everywhere, but because it is already present, already measurable, and still addressable.

The window is open. The question is whether the industry and government use it before the same slow-motion policy failure that defined the Huawei decade plays out again, this time inside the code.

References

Booz Allen Hamilton. (2026). What’s in America’s code? There are major risks with allowing Chinese LLMs to code for U.S. applications. Booz Allen Hamilton. https://www.boozallen.com

Claburn, T. (2026, April 26). Tokenmaxxing isn’t an AI strategy. The Register. https://www.theregister.com

Coimbra, V. (2026, April 1). Is AI really getting cheaper? The token cost illusion. Artefact. https://www.artefact.com

Ghita, G. (2026, May 5). The 5 hidden costs of building an AI startup in 2026. SemNexus. https://www.semnexus.com

Loizos, C. (2026, March 22). Are AI tokens the new signing bonus or just a cost of doing business? TechCrunch. https://techcrunch.com

Nieva, R. (2026, March 31). The ‘AI gods’ spending as much as they can on AI tokens. Forbes. https://www.forbes.com

Sargent, H. (2026, May 4). What are AI tokens and why are they costing companies millions? Kelly Services. https://www.kellyservices.com

Tangermann, V. (2026, April 24). The horrible economics of AI are starting to come crashing down. Futurism. https://futurism.com

Zylo. (2026). 2026 SaaS management index. Zylo. https://www.zylo.com

In late March, heavy Claude users started posting screenshots of something very odd, their five hour usage limits were running out in twenty minutes. Anthropic blamed peak hour demand and blocked third party tools from using its flat rate plans. OpenAI quietly shut down its Sora video platform around the same time as its Codex tool surged past four million developers per week. What looked like routine product decisions were actually the first visible signs of an infrastructure problem that is only going to get harder to solve.

The math is uncomfortable. Running an AI model for users costs real money every single time and it scales directly with usage. If ten times more people use AI tools ten times more heavily, companies then need roughly one hundred times more computing power to keep up. The ratio is about to get worse. Agentic AI systems, that autonomously handle complex multi-step tasks without human input at each stage, can consume ten to one hundred times more compute per session than a standard conversation. As that model of use spreads across business workflows, the demand curve get very steep very fast.

The supply of chips is the first place that pressure is showing up in. Orders for Nvidia GPUs are growing to $1 trillion through 2027, double of that a year ago, with lead times stretching closer to a year. All three makers of high bandwidth memory, which specialized chips AI systems depend on, are sold out for 2026. TSMC fabricates about 90 percent of the world’s most advanced chips. Its CEO said in late 2025 that demand was running three times what the company could produce. The 2nm fabrication lines are booked through 2028, and its next planned U.S. facility is already fully committed before ground has been broken. Building new chip fabrication capacity takes two to four years. The chip shortage will persist.

Power is the next wall. A modern data center can be built in two to three years, but getting reliable electricity to run it takes much longer. Natural gas plants take five to seven years. Nuclear takes ten or more. Even solar, factoring in grid connection timelines, can take two to four years. In February 2025, Dominion Energy Virginia reported requests for 40.2 gigawatts of new data center power connections, nearly double of what had been requested six months earlier. Anthropic has projected that the U.S. AI sector needs at least 50 gigawatts of capacity by 2028. S&P Global estimates that the data center industry needs roughly $200 billion per year globally just to build planned capacity, before taking in the cost of equipment or grid infrastructure buildout.

Governments are treating this as a strategic issue, not just a technology one. The UK published a compute roadmap in 2025, committing up to £2 billion to expand its AI research computing 20x by 2030 and projections that frontier AI demand could grow ten thousand times by 2030. Industry groups have identified that semiconductor supply chains, relying on a small number of companies spread across global networks, remain a significant vulnerability that national AI strategies have barely begun to address. At the Pentagon, the Chief Digital and AI Officer said publicly that compute is the military’s top constraint. His framing was blunt “We’ve handed our warfighters a Ferrari, and my only sleepless nights come from making sure we never, ever run out of the high octane fuel that they need, which is compute.”

The leaders of OpenAI, Google, Meta, Amazon, and Microsoft have all said publicly they cannot get chips fast enough. NVIDIA’s CEO put it plainly by stating that doubling compute access for its top customers would increase their revenues fourfold. That demand is not slowing. AI is moving, or has moved, into coding, healthcare, legal work, finance, and military operations. Every one of those use cases adds to the load. The infrastructure to support that load is measured in years to build. The demand is not waiting.

References

Sanders, J., Egan, J., & Madigan, R. (2026, May 7). American AI companies can’t get enough chips. Center for a New American Security. https://www.cnas.org/publications/reports/american-ai-companies-cant-get-enough-chips

Harper, J. (2026, May 7). DOD planning to address compute ‘bottleneck’ that could hinder AI proliferation. Defense Scoop. https://defensescoop.com/2026/05/07/dod-planning-to-address-compute-bottleneck-ai-proliferation/

Aliaga, S. (2026, April 17). Is AI running out of compute? J.P. Morgan Asset Management. https://am.jpmorgan.com/us/en/asset-management/adv/insights/market-insights/market-updates/on-the-minds-of-investors/is-ai-running-out-of-compute/

Department for Science, Innovation and Technology. (2025, July 17). UK compute roadmap. UK Government. https://www.gov.uk/government/publications/uk-compute-roadmap/uk-compute-roadmap

Béchard, D. E. (2026, May 1). What is the AI compute crunch, and why are AI tools hitting usage limits? Scientific American. https://www.scientificamerican.com/article/what-is-the-ai-compute-crunch-and-why-are-ai-tools-hitting-usage-limits/

Morgan, K., & Partridge, B. (2025, December 2). Global AI power demand: Challenges and opportunities. S&P Global. https://www.spglobal.com/en/research-insights/special-reports/look-forward/data-center-frontiers/global-ai-power-demand-challenges-opportunities

Foster, L. (2025, January 13). Compute infrastructure and the AI opportunities action plan. techUK. https://www.techuk.org/resource/compute-infrastructure-and-the-ai-opportunities-action-plan.html

Several patterns emerged from the past six months of enterprise AI spending. First, token prices dropped sharply. Second, companies spent more money anyway. Third, executives started celebrating engineers who burned through the most tokens. The gap between those three facts reveals something important about how AI costs actually work.

The numbers are straightforward. Per-token inference costs fell roughly 75% year-over-year according to enterprise spending data from Ramp. Epoch AI research suggests the decline approaches 200x annually when accounting for both pricing and efficiency gains. Competition among model providers, open-weight alternatives, and hardware improvements all pushed prices down. The collapse is real and significant.

But total AI spending moved in the opposite direction. Organizations spent an average of $1.2 million on AI-native applications in 2025, more than double the prior year, according to Zylo's 2026 SaaS Management Index. Nearly 80% of IT leaders reported unexpected charges tied to consumption-based AI pricing. The bill went up even as the unit cost went down.

The disconnect stems from how consumption patterns changed. Databricks CEO Ali Ghodsi singled out an engineer who spent over $7,000 in tokens during a two-week period in January. The company held a meeting where everyone applauded. Meta CTO Andrew Bosworth called token spending "easy money" with "no limit." The term "tokenmaxxing" emerged to describe maximizing token usage as a productivity metric.

Token pricing varies widely. Basic tasks on cheaper models can cost a few cents per million tokens. Complex computations on premium models run from $20 to over $100 per million tokens. Anthropic charges $25 per million output tokens for Claude Opus 4.6. Those are list prices. Actual costs depend on utilization rates, which rarely hit 100%. At 30% utilization, base inference costs on an H100 GPU jump from $0.0038 per million tokens to roughly $0.013. At 10% utilization, the cost reaches $0.038.

The pricing structure creates a paradox. Falling per-token costs make AI seem cheaper, which encourages higher consumption. That higher consumption often cancels out the savings and pushes total costs higher. Appfigures data showed that image model releases drove 6.5x more downloads than traditional model updates. ChatGPT added 12 million incremental installs in the 28 days after introducing its GPT-4o image model. More usage means more tokens processed, which means larger bills regardless of unit price.

Infrastructure constraints are starting to appear. Anthropic cut off millions of users from OpenClaw after it overwhelmed their systems. The company shifted to pay-as-you-go billing instead of open-ended usage limits. Capacity is finite, and providers are prioritizing customers who pay per token over those on flat subscriptions. Gartner analyst Will Sommer told The Verge that AI companies would need close to $2 trillion in annual revenue by the end of the decade to cover infrastructure costs. Current pricing models do not support that math.

The operational costs extend beyond token prices. Semantic caching, prompt compression, and utilization optimization can reduce token consumption by 40% to 60%, but those require engineering resources. Data preparation and cleaning add another layer of expense. RAG systems need structured data, which means dedicated engineering work before the first query runs. Then there are MLOps costs, monitoring infrastructure, and the labor required to manage prompt injection attacks and model degradation.

Stanford HAI's 2026 AI Index Report noted that US private AI investment reached $285.9 billion in 2025. AI data center power capacity hit 29.6 gigawatts, comparable to New York state at peak demand. Annual GPT-4o inference water use may exceed the drinking water needs of 12 million people. Those environmental and infrastructure pressures will eventually flow through to pricing.

The current moment resembles the early cloud computing era when per-instance pricing dropped while total cloud spending climbed. The difference is that AI consumption scales faster and less predictably than traditional compute. A viral feature or unexpected usage pattern can multiply costs overnight. Organizations are discovering that cheaper tokens do not mean cheaper AI, just more consumption at lower unit economics until the bill arrives.

Sources:

• Richard Nieva, "The 'AI Gods' Spending As Much As They Can On AI Tokens," Forbes, March 31, 2026.

• Victor Tangermann, "The Horrible Economics of AI Are Starting to Come Crashing Down," Futurism, April 24, 2026.

• Thomas Claburn, "Tokenmaxxing isn't an AI strategy," The Register, April 26, 2026.

• Victor Coimbra, "Is AI really getting cheaper? The token cost illusion," Artefact, April 1, 2026.

• Hilary Sargent, "What Are AI Tokens — and Why Are They Costing Companies Millions?" Kelly Services, May 4, 2026.

• Connie Loizos, "Are AI tokens the new signing bonus or just a cost of doing business?" TechCrunch, March 22, 2026.

• Ghita Ghita, "The 5 Hidden Costs of Building an AI Startup in 2026," SemNexus, May 5, 2026.

• Stanford HAI, "2026 Artificial Intelligence Index Report," 2026.

• Zylo, "2026 SaaS Management Index," 2026.

This week in cybersecurity was a masterclass in how fast things can go sideways. 🔐

Ransomware operators are now completing full attacks in under an hour. AI platforms you use every day shipped critical vulnerabilities. A supply chain attack hit a JavaScript library with 100M+ weekly downloads. And someone accidentally leaked 512,000 lines of AI source code — which attackers immediately weaponized into a malware campaign on GitHub.

If your patch queue looks overwhelming right now, you’re not alone. Chrome, Cisco, F5, Fortinet, and more all dropped critical fixes this week — many already under active exploitation before patches shipped.

Check out this week’s Friday Wrap-Up for the full breakdown. 👇

#Cybersecurity #PatchManagement #SupplyChainSecurity #FWU #fridaywrapup #Malware #DataBreach #Ransomware

Major Cyberattacks & Incidents

This week’s breach roundup spans AI firms, healthcare, toys, and crypto — a reminder that no sector is immune when attackers are operating at this pace and scale.

• 🔓 AI recruitment firm Mercor confirmed a breach stemming from a LiteLLM supply chain attack. Hackers claim to have exfiltrated 4TB of sensitive data, including user records and internal systems. (Published on April 3, 2026, Hackread). Read More

• 🕵️ The ShinyHunters group claims to have stolen over 3 million Cisco records via Salesforce and AWS, threatening a public data leak if their demands are not met. (Published on April 2, 2026, Hackread). Read More

• 🏥 A January 2026 cyberattack on Nacogdoches Memorial Hospital compromised personal and health information belonging to 250,000 patients after a threat actor breached the hospital’s internal network. (Published on April 2, 2026, SecurityWeek). Read More

• 🎲 Toy giant Hasbro is investigating a cyberattack that may have resulted in file compromise. The full scope of the breach is still under determination, with no confirmed exfiltration yet. (Published on April 1, 2026, SecurityWeek). Read More

• 💸 A Maryland man faces federal charges for allegedly exploiting smart contract vulnerabilities to steal $53 million from Uranium Finance and laundering the proceeds through crypto mixing services. (Published on March 31, 2026, Infosecurity). Read More

Malware & Vulnerabilities

From AI-generated evasion code to ransomware completing full attacks in under an hour, threat actors are raising the bar on speed and sophistication this week.

• 📱 A new SparkCat malware variant found in App Store and Google Play apps uses OCR to scan images for crypto wallet recovery phrases, hidden inside seemingly legitimate applications. (Published on April 3, 2026, The Hacker News). Read More

• 🐍 Threat actors are exploiting Anthropic’s Claude Code source code leak by publishing fake GitHub repositories that deliver Vidar information-stealing malware to unsuspecting developers. (Published on April 2, 2026, BleepingComputer). Read More

• 🦠 DeepLoad, a newly discovered malware, is distributed via ClickFix social engineering attacks. It steals credentials, installs a malicious browser extension, and can self-propagate via USB drives. (Published on April 1, 2026, SecurityWeek). Read More

• 🤖 ReliaQuest researchers warn that DeepLoad leverages AI-generated code alongside ClickFix techniques to evade detection while persistently targeting enterprise credentials across organizations. (Published on March 30, 2026, Infosecurity). Read More

• 📨 Microsoft warns of a WhatsApp-based campaign tricking users into executing malicious Visual Basic Script files, enabling attackers to establish persistence and remote access on compromised systems. (Published on April 1, 2026, CSO Online). Read More

• 📦 Attackers hijacked the npm account of Axios — a JavaScript HTTP client with over 100 million weekly downloads — distributing remote access trojans targeting Linux, Windows, and macOS systems. (Published on March 31, 2026, BleepingComputer). Read More

• 🛤️ A newly identified implant named RoadK1ll uses WebSocket communications to enable threat actors to quietly move laterally from a compromised host to other systems on the internal network. (Published on March 30, 2026, BleepingComputer). Read More

• 🇷🇺 A Russian-origin remote access toolkit called CTRL spreads through malicious Windows shortcut files disguised as private key folders, hijacking RDP sessions via FRP tunneling. (Published on March 30, 2026, The Hacker News). Read More

• ⏱️ Halcyon researchers report that the Akira ransomware group can now execute a full attack — from initial access to encryption — in under one hour, dramatically shrinking defender response windows. (Published on April 2, 2026, Infosecurity). Read More

Critical Vulnerabilities & Patches

A relentless wave of critical patches hit this week across Cisco, Chrome, F5, Fortinet, and AI platforms — with many already under active exploitation, making patch fatigue a luxury no one can afford.

• 🔧 Cisco released patches for a critical authentication bypass in its Integrated Management Controller affecting many servers and appliances, allowing unauthenticated remote attackers to gain admin access. (Published on April 2, 2026, CSO Online). Read More

• ⚠️ Cisco also patched several high-severity IMC vulnerabilities that, combined with the critical auth bypass, could allow unauthenticated attackers to gain full administrative control over enterprise hardware. (Published on April 2, 2026, BleepingComputer). Read More

• 📹 Attackers are actively exploiting a zero-day in TrueConf conference servers that executes arbitrary files across all connected endpoints by pushing malicious software updates to clients. (Published on April 1, 2026, BleepingComputer). Read More

• 🌐 Google released emergency Chrome updates addressing 21 vulnerabilities, including a high-severity use-after-free zero-day in Dawn (CVE-2026-5281) that has been actively exploited in the wild. (Published on April 1, 2026, The Hacker News). Read More

• 🤖 Vulnerabilities in the CrewAI multi-agent AI framework can be exploited via prompt injection, allowing attackers to chain bugs, escape sandboxes, and execute arbitrary code on host devices. (Published on March 31, 2026, SecurityWeek). Read More

• ☁️ A security blind spot in Google Cloud’s Vertex AI could allow weaponized AI agents to gain unauthorized access to sensitive data and compromise an organization’s entire cloud environment. (Published on March 31, 2026, The Hacker News). Read More

• 🔒 A critical SQL injection flaw in Fortinet’s FortiManager (CVE-2026-21643) is under active exploitation, allowing unauthenticated attackers to fully compromise enterprise management servers remotely. (Published on March 30, 2026, CSO Online). Read More

• 🔑 A flaw in OpenAI’s Codex allowed attackers to steal GitHub tokens by exploiting hidden Unicode command injection embedded in maliciously crafted branch names within code repositories. (Published on March 30, 2026, Hackread). Read More

• 🔐 A 15-year-old integer underflow bug in strongSwan’s EAP-TTLS plugin allows attackers to crash VPN services, with multiple versions affected across widely deployed global installations. (Published on March 30, 2026, Hackread). Read More

• 🚨 F5 reclassified a BIG-IP APM flaw from denial-of-service to critical RCE after confirming active exploitation, with attackers deploying webshells on unpatched devices. Patch immediately. (Published on March 30, 2026, BleepingComputer). Read More

Credential Harvesting & Phishing

Attackers are automating credential theft at scale this week, sweeping hundreds of Next.js servers and targeting LinkedIn professionals with convincing lookalike campaigns.

• 🎣 Attackers using automated scanning and the Nexus Listener framework exploited React2Shell to compromise over 750 systems in a coordinated, large-scale credential harvesting operation. (Published on April 3, 2026, SecurityWeek). Read More

• 🗝️ Exploiting CVE-2025-55182, attackers breached 766 Next.js hosts to steal database credentials, SSH keys, AWS secrets, Stripe API keys, and GitHub tokens en masse. (Published on April 2, 2026, The Hacker News). Read More

• 📧 A LinkedIn phishing campaign uses fake notification emails and convincing lookalike domains to steal credentials, hijack professional accounts, and access sensitive business data at scale. (Published on April 1, 2026, Hackread). Read More

Espionage & Nation-State Activity

Russia’s Star Blizzard is upgrading its mobile arsenal, adopting a sophisticated iOS exploit kit to sharpen campaigns against high-value government and institutional targets worldwide.

• 🌨️ Russian state-sponsored APT Star Blizzard is using the DarkSword iOS exploit kit in campaigns targeting government, higher education, financial, legal entities, and think tanks globally. (Published on March 30, 2026, SecurityWeek). Read More

AI & Policy

Anthropic had a rough week operationally — an accidental source code leak revealed details of a powerful new AI model, and attackers immediately turned the exposure into a malware delivery campaign.

• 🤦 Human error at Anthropic exposed over 512,000 lines of Claude AI source code, inadvertently revealing internal projects codenamed KAIROS and Capybara and prompting a shift to the Native Installer. (Published on April 1, 2026, Hackread). Read More

• 🧠 Details of Anthropic’s Mythos — described as its most capable AI model yet, with enhanced reasoning and coding skills — leaked unintentionally via a CMS data exposure, bypassing any planned announcement. (Published on March 30, 2026, CSO Online). Read More

DDoS, Outages & Infrastructure

Microsoft’s Exchange Online continues to battle mailbox reliability issues, leaving Outlook users on mobile and macOS dealing with intermittent disruptions stretching into their third week.

• 📬 Microsoft is investigating persistent Exchange Online mailbox access problems intermittently affecting Outlook mobile and macOS users for weeks, with no confirmed resolution timeline yet. (Published on April 3, 2026, BleepingComputer). Read More

Stay informed and secure in the tech and cybersecurity world. Have a great weekend, and remember to patch and protect your systems!

This week: a pro-Iranian group hacked the FBI Director's personal email. North Korean hackers got hired for remote IT jobs. TeamPCP backdoored yet another PyPI package. And an iPhone exploit kit has evolved directly from the zero-click campaign that hit Russian targets back in 2023.

In the "things we didn't need" column: GlassWorm now uses the Solana blockchain to route its malware payloads, a new infostealer bypasses Chrome's Application-Bound Encryption, and a QR code phishing campaign somehow slipped past SPF, DKIM, AND DMARC at scale — 1.6 million emails delivered, no alarm raised.

It's a lot. Click through for 34 stories across 6 categories, and maybe patch your NetScaler while you're at it.

#FWU #fridaywrapup #SupplyChainSecurity #NationStateHackers #PatchNow #Malware #DataBreach #Ransomware

Major Cyberattacks & Incidents

From pharmaceutical giants to anime streaming platforms, this week’s breach roster spans nearly every sector — and the body count keeps climbing.

• 🏛️ The European Commission is investigating a security breach after a threat actor gained unauthorized access to its Amazon cloud infrastructure, raising concerns about the security of EU executive data. (Published on March 27, 2026, BleepingComputer). Read More

• 💼 Hightower Holding disclosed a breach that exposed names, Social Security numbers, and driver’s license numbers for 130,000 individuals after hackers infiltrated the firm’s environment. (Published on March 26, 2026, SecurityWeek). Read More

• ⚖️ Ilya Angelov, a member of the cybercrime group tracked as TA-551 (Shathak/Gold Cabin/Monster Libra), received a two-year US prison sentence for his role in the prolific criminal operation. (Published on March 25, 2026, SecurityWeek). Read More

• ❓ OVHcloud’s founder denied claims by a hacker alleging a 600TB theft affecting millions of hosted sites, with cybersecurity experts also questioning the credibility of the evidence provided. (Published on March 24, 2026, Hackread). Read More

• 🐛 Bug bounty platform HackerOne is notifying hundreds of employees that their personal data was stolen after threat actors compromised Navia, one of its US-based benefits administrators. (Published on March 24, 2026, BleepingComputer). Read More

• 💊 The Lapsus$ extortion group claims to have breached pharmaceutical giant AstraZeneca, allegedly stealing internal code repositories, employee credentials, and sensitive company data. (Published on March 24, 2026, SecurityWeek). Read More

• 🚗 Mazda Motor Corporation disclosed a security incident detected last December that exposed personal data belonging to employees and business partners of the automaker. (Published on March 23, 2026, BleepingComputer). Read More

• 📺 Popular anime streaming platform Crunchyroll is investigating a breach after hackers claimed to have stolen personal information for approximately 6.8 million users of the service. (Published on March 23, 2026, BleepingComputer). Read More

Espionage & Data Extraction

Nation-state actors had an unusually busy week — an FBI director’s inbox, an evolved iPhone exploit framework, and North Korean operatives hiding in plain sight as remote IT workers.

• 🇮🇷 A pro-Iranian hacking group claimed responsibility for breaching FBI Director Kash Patel’s personal account, making emails and documents from the account available for public download. (Published on March 27, 2026, SecurityWeek). Read More

• 📱 The Coruna iOS exploit kit is an evolution of the framework used in Operation Triangulation — the 2023 espionage campaign that silently compromised iPhones via zero-click iMessage exploits. (Published on March 26, 2026, BleepingComputer). Read More

• 🇰🇵 North Korea’s WaterPlum/Contagious Interview group weaponized VS Code tasks.json files to distribute the new StoatWaffle malware, targeting developers through malicious Visual Studio Code projects. (Published on March 23, 2026, The Hacker News). Read More

• 🕵️ LevelBlue research reveals how a suspected North Korean operative successfully landed a remote IT job to fund national weapons programs, only to be exposed after a VPN configuration slip. (Published on March 23, 2026, Hackread). Read More

Malware & Vulnerabilities

Supply-chain attacks, router bypasses, and a payment skimmer that routes around your defenses via WebRTC — the vulnerability landscape this week has something for everyone.

• 🎵 The TeamPCP supply-chain threat actor compromised the Telnyx Python package on PyPI, hiding data-stealing code inside WAV audio files across two malicious versions (4.87.1 and 4.87.2). (Published on March 27, 2026, The Hacker News). Read More

• 💻 A large-scale campaign is flooding GitHub project Discussions with fake Visual Studio Code security alerts, tricking developers into downloading malware disguised as urgent platform security updates. (Published on March 27, 2026, BleepingComputer). Read More

• 🔓 A now-patched bug in Open VSX’s pre-publish scanning pipeline allowed malicious VS Code extensions to pass security vetting and go live in the registry undetected, with a single boolean flag as the culprit. (Published on March 27, 2026, The Hacker News). Read More

• ⚡ A critical Langflow RCE vulnerability allowing unauthenticated code execution was exploited within hours of disclosure, prompting CISA to formally flag the flaw for urgent remediation. (Published on March 27, 2026, CSO Online). Read More

• 👻 ReversingLabs identified a Ghost campaign using convincing fake npm install progress bars to trick developers into entering sudo passwords, enabling crypto wallet theft from compromised machines. (Published on March 27, 2026, Hackread). Read More

• 💳 A new payment skimmer uses WebRTC data channels — instead of traditional HTTP requests or image beacons — to load payloads and exfiltrate payment data from e-commerce sites, bypassing Content Security Policy controls. (Published on March 26, 2026, The Hacker News). Read More

• 🕳️ CVE-2026-3055, an out-of-bounds read flaw in NetScaler ADC and Gateway, has been flagged by experts as CitrixBleed2-level severity, requiring immediate patching of all customer-managed devices. (Published on March 25, 2026, CSO Online). Read More

• 🪱 GlassWorm has evolved into a multi-stage framework using Solana blockchain dead drops to deliver a RAT and deploy a malicious Chrome extension disguised as an offline app to steal browser data and crypto. (Published on March 25, 2026, The Hacker News). Read More

• 📡 TP-Link patched a critical authentication bypass flaw in its Archer NX router series that could allow unauthenticated attackers to upload malicious firmware and seize full control of the device. (Published on March 25, 2026, BleepingComputer). Read More

• 🔑 The TeamPCP group backdoored the massively popular LiteLLM Python package on PyPI to steal credentials and auth tokens, claiming to have exfiltrated data from hundreds of thousands of compromised devices. (Published on March 24, 2026, BleepingComputer). Read More

• 🔓 Citrix released patches for CVE-2026-3055 (CVSS 9.3), a critical NetScaler ADC and Gateway flaw allowing unauthenticated data exfiltration from affected applications across customer-managed deployments. (Published on March 24, 2026, The Hacker News). Read More

• 🍪 VoidStealer uses a novel debugger-based technique to bypass Chrome’s Application-Bound Encryption (ABE), stealing saved passwords and cookies in a method researchers say hasn’t been seen in the wild before. (Published on March 23, 2026, CSO Online). Read More

• 🛠️ QNAP released patches for four vulnerabilities demonstrated at Pwn2Own that could allow attackers to access sensitive information, execute arbitrary code, or trigger unexpected system behavior on affected devices. (Published on March 23, 2026, SecurityWeek). Read More

Cybersecurity Tools & Techniques

This week’s phishing roundup covers QR codes that dodge every email security standard, fake resumes, fake token giveaways, and IRS impersonators — tax season is a gift for attackers.

• 📲 A massive QR code phishing campaign dubbed Quish Splash evaded SPF, DKIM, and DMARC controls to successfully deliver 1.6 million malicious emails to unsuspecting recipients without detection. (Published on March 26, 2026, Hackread). Read More

• 🫧 Threat actors are abusing the no-code Bubble platform to build convincing phishing pages targeting Microsoft accounts, leveraging the legitimate app builder to evade standard phishing detection tooling. (Published on March 25, 2026, BleepingComputer). Read More

• 💸 OX Security uncovered a phishing campaign targeting GitHub developers with fake OpenClaw token giveaways, tricking victims into connecting their cryptocurrency wallets and immediately draining them. (Published on March 25, 2026, Hackread). Read More

• 🌍 An active device code phishing campaign has compromised over 340 Microsoft 365 organizations across five countries since February 2026, abusing OAuth authentication flows to silently steal access tokens. (Published on March 25, 2026, The Hacker News). Read More

• 📄 An ongoing phishing campaign targeting French-speaking enterprises delivers obfuscated VBScript files disguised as CV documents that install cryptocurrency miners and infostealers on victim machines. (Published on March 24, 2026, The Hacker News). Read More

• 💰 Microsoft warns of active tax-season phishing campaigns that have hit 29,000 users with IRS-themed emails, delivering remote management malware to establish persistent access and harvest credentials. (Published on March 23, 2026, The Hacker News). Read More

DDoS, Outages & Infrastructure

Botnets are multiplying and attacks are surging — the infrastructure threat landscape is growing broader and louder.

• 🤖 Mirai has spawned hundreds of variants — including Aisuru and KimWolf — fueling large-scale botnet growth and increasing attack risks against vulnerable IoT devices globally. (Published on March 25, 2026, Hackread). Read More

• 📈 Gcore’s latest Radar report documents a 150% year-on-year surge in DDoS attack volume, reflecting the rapid expansion of botnet infrastructure and the continued commoditization of volumetric attacks. (Published on March 24, 2026, Hackread). Read More

AI & Policy

One story this week — but it’s a notable one: a zero-click flaw in an AI browser extension that turned every website into a potential attack vector.

• 🤖 Researchers disclosed a now-patched flaw in Anthropic’s Claude Chrome Extension that allowed any website to silently inject malicious prompts into the assistant without any user interaction via cross-site scripting. (Published on March 26, 2026, The Hacker News). Read More

Stay informed and secure in the tech and cybersecurity world. Have a great weekend, and remember to patch and protect your systems!

It’s Friday, which means the threat actors didn’t take the week off — and neither did we. 🛡️

This week’s Friday Wrap Up covers ransomware gangs weaponizing zero-days, nation-state actors wiping devices at scale, supply-chain attacks hitting developer toolchains, AI platforms becoming the new attack surface, and a botnet that clearly skipped leg day because it never stops running. Whether you’re patching, detecting, or just trying to make it to 5pm, there’s something in this week’s roundup that probably affects your org.

Click the links below and maybe patch something this weekend.

#FWU #fridaywrapup #CyberSecurity #InfoSec #RansomwareWatch #SupplyChainSecurity #ThreatIntelligence #Malware #DataBreach #Ransomwar

Major Cyberattacks & Incidents

From ransomware zero-days to a wipe-and-run attack on a medical tech giant, this week’s incident log is a reminder that no sector is off-limits.

• 💼 A 27-year-old data analyst contractor, Cameron “Loot” Curry, was convicted of six extortion charges after stealing and ransoming data from a D.C.-based international tech firm, netting $2.5 million while working from the inside. (Published on March 20, 2026, CyberScoop). Read More

• 🏛️ The FBI seized two Handala hacktivist websites following a destructive cyberattack on medical tech giant Stryker that remotely wiped approximately 80,000 employee devices across the company. (Published on March 19, 2026, BleepingComputer). Read More

• 🔥 The Interlock ransomware gang has been actively exploiting a maximum-severity RCE vulnerability in Cisco’s Secure Firewall Management Center as a zero-day since late January 2026. (Published on March 18, 2026, BleepingComputer). Read More

• 🛍️ Attackers hijacked Nordstrom’s legitimate email infrastructure to blast customers with cryptocurrency scams disguised as a St. Patrick’s Day promotion, leveraging the retailer’s brand trust to boost credibility. (Published on March 18, 2026, BleepingComputer). Read More

• 🔗 The LeakNet ransomware gang adopted ClickFix social engineering via compromised websites for initial access, then deployed an in-memory loader built on the open-source Deno JavaScript runtime to evade detection. (Published on March 17, 2026, The Hacker News). Read More

• 🔗 BleepingComputer confirms LeakNet’s shift to ClickFix for initial access and Deno-based in-memory loaders for stealthy corporate network compromise, with the group continuing to ramp up its attack velocity. (Published on March 17, 2026, BleepingComputer). Read More

• 🎮 The FBI is investigating several Steam games found to contain malware that stole browser data and drained cryptocurrency wallets from players between May 2024 and January 2026, warning gamers to stay vigilant. (Published on March 16, 2026, Hackread). Read More

• 🏥 The Handala cyberattack on Stryker was confined to its internal Microsoft environment, remotely wiping tens of thousands of employee devices using native admin tools — no custom malware required. (Published on March 16, 2026, BleepingComputer). Read More

Espionage & Data Extraction

Nation-state actors were in full swing this week, with North Korean, Iranian, and Russian-linked groups all making headlines for bold and sophisticated operations.

• 🇰🇵 Crypto gift card service Bitrefill attributed a recent breach to North Korea’s Bluenoroff sub-group of the Lazarus threat actor, continuing the pattern of DPRK-linked attacks targeting cryptocurrency-adjacent businesses. (Published on March 19, 2026, BleepingComputer). Read More

• 🌐 Security analysis reveals Iran spent six months building resilient cyber infrastructure — including US-based shell companies — designed to sustain global hacking operations and survive potential kinetic military strikes. (Published on March 19, 2026, SecurityWeek). Read More

• 🔑 The Iranian Handala hackers likely used infostealer-stolen credentials to breach Stryker’s Microsoft environment, while the medtech company continues the recovery effort to restore tens of thousands of wiped devices. (Published on March 18, 2026, SecurityWeek). Read More

• 🇷🇺 A collaborative investigation by iVerify, Lookout, and Google uncovered a second iOS exploit kit linked to suspected Russian hackers, raising concerns about the accelerating proliferation of nation-state mobile surveillance tooling. (Published on March 18, 2026, CyberScoop). Read More

Malware & Vulnerabilities

Exploit kits, banking trojans, supply-chain backdoors, and hardware flaws kept researchers busy this week — the vulnerability landscape just keeps expanding.

• 🎣 Sublime Security uncovered a JavaScript-based scam mimicking realistic, interactive Zoom meeting invites to trick Windows users into downloading malware — convincing enough to fool even security-aware users. (Published on March 20, 2026, Hackread). Read More

• 🔓 Sansec warns of a critical Magento REST API flaw dubbed PolyShell, allowing unauthenticated attackers to upload arbitrary executables, execute code remotely, and take over accounts with no credentials required. (Published on March 20, 2026, The Hacker News). Read More

• ⚡ Threat actors exploited a critical Langflow AI workflow vulnerability in under 20 hours of its public disclosure, with Sysdig documenting the rapid timeline that underscores just how small the patching window has become. (Published on March 20, 2026, Infosecurity). Read More

• 📱 Researchers uncovered Perseus, a new Android banking malware descended from Cerberus and Phoenix, capable of device takeover and financial fraud by monitoring notes apps to silently harvest sensitive credentials. (Published on March 19, 2026, The Hacker News). Read More

• 🧩 Bitdefender researchers discovered a malicious Windsurf IDE extension that uses the Solana blockchain as command-and-control infrastructure to exfiltrate developer credentials in a novel and stealthy supply-chain attack. (Published on March 19, 2026, Hackread). Read More

• 🗡️ Google GTIG, iVerify, and Lookout revealed DarkSword, an iOS exploit kit wielding six vulnerabilities including three zero-days, enabling full device takeover and data theft since at least November 2025. (Published on March 19, 2026, The Hacker News). Read More

• ⬛ Howler Cell researchers identified a new .NET Ahead-of-Time compiled malware campaign using an obfuscated scoring system to conceal payloads as a black box, rendering traditional signature-based detection ineffective. (Published on March 18, 2026, Hackread). Read More

• 🖥️ Eclypsium discovered nine critical vulnerabilities across four IP KVM vendors allowing unauthenticated root access to connected hosts, exposing significant risks posed by low-cost remote management devices in data centers. (Published on March 18, 2026, The Hacker News). Read More

• 📸 A researcher found a fourth method to bypass WhatsApp’s View Once privacy feature, allowing recipients to save supposedly ephemeral media. Meta declined to patch it, citing use of a modified client application. (Published on March 18, 2026, SecurityWeek). Read More

• 🍎 Apple patched CVE-2026-20643, a WebKit cross-origin flaw in the Navigation API affecting iOS, iPadOS, and macOS, via its first-ever Background Security Improvements update cycle. (Published on March 18, 2026, The Hacker News). Read More

• 🪱 The GlassWorm supply-chain campaign returned with a coordinated attack targeting over 400 packages and repositories across GitHub, npm, and VSCode/OpenVSX extensions, poisoning developer toolchains at scale. (Published on March 17, 2026, BleepingComputer). Read More

• 🪱 Socket researchers identified 72+ malicious Open VSX extensions in a new GlassWorm supply-chain phase, exploiting extension dependency relationships to indirectly deliver malware without direct registry manipulation. (Published on March 16, 2026, CSO Online). Read More

• 🐀 New XWorm 7.1 and Remcos RAT campaigns exploit a WinRAR vulnerability and use process hollowing through trusted Windows tools to spy on victims while evading traditional endpoint detection solutions. (Published on March 16, 2026, Hackread). Read More

Cybersecurity Tools & Techniques

From infostealer delivery via fake enterprise software portals to OS-level API lockdowns, attackers and defenders alike are sharpening their tools this week.

• 🎭 Microsoft Defender Experts tracked Storm-2561 using convincing fake Fortinet and Ivanti VPN download pages to trick IT professionals into installing the Hyrax infostealer, active since mid-January 2026. (Published on March 17, 2026, Hackread). Read More

• 🎣 A security firm executive was targeted by a sophisticated phishing campaign using DKIM-signed emails, trusted redirect infrastructure, compromised servers, and Cloudflare-protected pages — a reminder that even experts aren’t immune. (Published on March 16, 2026, SecurityWeek). Read More

• 🛡️ Google’s Android 17 Beta 2 introduces Advanced Protection Mode restrictions blocking non-accessibility apps from the Accessibility Services API, cutting off a common malware overlay and privilege-escalation attack vector. (Published on March 16, 2026, The Hacker News). Read More

DDoS, Outages & Infrastructure

One botnet dominated this week’s infrastructure news — and it’s been very, very busy.

• 🤖 The RondoDox botnet has escalated to 15,000 exploitation attempts per day, systematically targeting 174 different vulnerabilities in a more focused and aggressive campaign than previously observed by researchers. (Published on March 17, 2026, SecurityWeek). Read More

AI & Policy

AI is generating headlines well beyond productivity gains — from courtroom battles to security flaws embedded in AI platforms, the policy and threat landscape is evolving fast.

• 🎵 North Carolina musician Michael Smith pleaded guilty to a $10 million streaming royalty fraud scheme, using AI bots to artificially inflate play counts on Spotify, Apple Music, Amazon Music, and YouTube Music. (Published on March 20, 2026, BleepingComputer). Read More

• 🤖 Researchers uncovered “Claudy Day” vulnerabilities in Claude AI that allow attackers to steal user data via fake Google Ads and hidden prompt injection, exploiting the AI platform’s ad-rendering infrastructure. (Published on March 18, 2026, Hackread). Read More

• ⚖️ The Ninth Circuit Court of Appeals temporarily stayed a California judge’s injunction against Perplexity AI’s shopping agent on Amazon, allowing the service to continue as the legal battle over automated account activity proceeds. (Published on March 17, 2026, CyberScoop). Read More

• 🔒 At Nvidia GTC, CEO Jensen Huang unveiled NemoClaw, a security framework designed to run OpenClaw agentic AI systems safely in enterprise environments, addressing persistent concerns about the platform’s security posture. (Published on March 17, 2026, CSO Online). Read More

• 💉 BeyondTrust revealed a DNS-based data exfiltration technique exploiting flaws in Amazon Bedrock AgentCore, LangSmith, and SGLang AI environments, enabling both sensitive data theft and remote code execution. (Published on March 17, 2026, The Hacker News). Read More

• 🔐 GitGuardian’s annual report reveals an 81% surge in AI service credential leaks, with 29 million secrets exposed on public GitHub repositories, driven largely by rapid developer adoption of AI-powered coding tools. (Published on March 17, 2026, Hackread). Read More

• ⏱️ A Booz Allen Hamilton report warns that AI tools have matured enough to give attackers a significant speed advantage over defenders, shortening response windows and pushing cybersecurity into a dangerous new phase. (Published on March 16, 2026, CyberScoop). Read More

Stay informed and secure in the tech and cybersecurity world. Have a great weekend, and remember to patch and protect your systems!

Happy Friday the 13th! 🔪 In the spirit of the day, threat actors did NOT hold back this week.

We’ve got Chrome extensions that turned evil after changing hands, an AI agent that decided to mine crypto on its own (nobody asked, buddy 🤖⛏️), a medtech giant hit by Iranian hackers claiming to have wiped 200,000 devices, and a 1 petabyte data theft claim that made storage admins everywhere break into a cold sweat.

Oh, and Microsoft and Adobe both dropped patch updates on the same week. Because nothing says Friday the 13th like 163 CVEs staring you down before the weekend. 🩹💀

This week’s Friday Wrap Up has the full breakdown — breaches, botnets, nation-state drama, and the AI that’s apparently already going rogue. Click the links below and stay spooky, friends. 👇

#Malware #DataBreach #Ransomware #FWU #fridaywrapup #CyberSecurity #InfoSec #RansomwareWatch #ThreatIntel #SecOps #Friday13th #StayPatched #ThreatsAndChills

Major Cyberattacks & Incidents

This week saw breaches hitting telecom, medtech, and enterprise infrastructure, with some jaw-dropping data theft claims.

• 🔓 Ericsson US confirms employee and customer data was stolen after attackers compromised one of its third-party service providers. (Published on 9-Mar-2026, BleepingComputer). Read More

• 🏥 Iran-linked Handala group claims to have wiped over 200,000 devices belonging to medical technology giant Stryker in a destructive cyberattack. (Published on 11-Mar-2026, SecurityWeek). Read More

• 📦 Telus Digital confirms a security incident after threat actors claimed to have exfiltrated nearly 1 petabyte of data in a months-long breach campaign. (Published on 12-Mar-2026, BleepingComputer). Read More

• 🕵️ A threat actor exploited vulnerabilities and abused Elastic Cloud as a command hub to manage and exfiltrate stolen data, per Huntress researchers. (Published on 9-Mar-2026, Infosecurity). Read More

Malware & Vulnerabilities

From ZIP trickery to botnet-building router malware, threat actors had a busy week crafting new evasion techniques.

• 🧩 Two Chrome extensions turned malicious following an ownership transfer, enabling code injection and sensitive data harvesting from users’ browsers. (Published on 9-Mar-2026, The Hacker News). Read More

• 🪄 A new “Zombie ZIP” technique conceals malware payloads inside specially crafted compressed files designed to bypass antivirus and EDR detection tools. (Published on 10-Mar-2026, BleepingComputer). Read More

• 📡 KadNap malware has hijacked over 14,000 Asus routers — more than 60% in the U.S. — to build a stealth proxy botnet routing malicious traffic. (Published on 10-Mar-2026, The Hacker News). Read More

• 🎯 The PhantomRaven supply-chain campaign is back with 88 malicious npm packages designed to exfiltrate sensitive data from JavaScript developers. (Published on 11-Mar-2026, BleepingComputer). Read More

• 🖥️ Fake enterprise VPN clients impersonating Ivanti, Cisco, and Fortinet are being distributed by Storm-2561 to steal corporate credentials from employees. (Published on 13-Mar-2026, BleepingComputer). Read More

• 🌐 Cloned AI tool websites are distributing malware through the “InstallFix” campaign by replacing legitimate setup commands with malicious ones. (Published on 9-Mar-2026, SecurityWeek). Read More

• 👔 BlackSanta malware targets HR staff by disguising attacks as fake CV downloads, allowing Russian-speaking threat actors to infiltrate recruitment workflows. (Published on 11-Mar-2026, Hackread). Read More

• 🤖 Hive0163 is deploying AI-generated Slopoly malware for persistent access in ransomware attacks, showcasing how AI is accelerating malware development timelines. (Published on 12-Mar-2026, The Hacker News). Read More

Espionage & Nation-State Activity

Russia’s Sednit resurfaces with upgraded tools, signaling a step up from the group’s recent low-profile operations.

• 🐻 Russia-affiliated Sednit (APT28) has returned with two sophisticated new malware tools after years of relying on simpler implants for espionage operations. (Published on 10-Mar-2026, Dark Reading). Read More

Vulnerability Research & Industry Analysis

Patch Tuesday came in heavy this week, with Microsoft and Adobe both dropping major security updates simultaneously.

• 🩹 Microsoft’s March Patch Tuesday addresses 83 CVEs — security experts say there’s little to panic about, but patching promptly remains essential. (Published on 11-Mar-2026, Dark Reading). Read More

• 🛡️ Adobe patches 80 vulnerabilities across eight products, including Commerce, Illustrator, Acrobat Reader, and Premiere Pro — a busy week for Adobe admins. (Published on 10-Mar-2026, SecurityWeek). Read More

• ⚠️ Two critical flaws in n8n workflow automation platform — CVSSv3 scores of 9.4 and 9.5 — could allow remote code execution and credential exposure. Now patched. (Published on 11-Mar-2026, The Hacker News). Read More

• 📱 Apple patches actively exploited Coruna vulnerabilities in older iOS and iPadOS versions 16.7.15 and 15.8.7 for users unable to upgrade to current releases. (Published on 12-Mar-2026, SecurityWeek). Read More

• 💰 Google paid out over $17 million in bug bounty rewards in 2025, including $3.7M for Chrome and $3.5M for cloud security vulnerabilities reported by researchers. (Published on 13-Mar-2026, SecurityWeek). Read More

AI & Policy

AI made headlines both as a security tool and a security risk this week — sometimes simultaneously.

• 🔍 OpenAI’s Codex Security agent found 11,000+ high-severity bugs across 1.2M commits in its first 30 days, including 792 critical flaws in real-world codebases. (Published on 9-Mar-2026, CSO Online). Read More

• ⛏️ Researchers found that experimental AI agent ROME autonomously attempted cryptomining without being instructed to — raising serious alignment and safety concerns. (Published on 10-Mar-2026, Hackread). Read More

• 💼 Mastercard is offering SMEs an AI-powered virtual CFO, with other C-suite AI roles to follow — blurring the line between automation and executive decision-making. (Published on 11-Mar-2026, ComputerWeekly.com). Read More

• 🧠 Nvidia is reportedly building an open-source NemoClaw AI platform to compete with OpenClaw, courting enterprise partners ahead of its annual conference. (Published on 11-Mar-2026, Ars Technica). Read More

Law Enforcement & Takedowns

A major international operation took down a sprawling proxy botnet this week.

• 🚔 International law enforcement dismantled SocksEscort, a criminal proxy service that hijacked 369,000 IPs across 163 countries to commit large-scale fraud. (Published on 13-Mar-2026, The Hacker News). Read More

Stay informed and secure in the tech and cybersecurity world. Have a great weekend, and remember to patch and protect your systems!

Happy Friday, security professionals! 🔐

This week in cybersecurity served up everything from drone strikes on cloud data centers (yes, physical ones) to hackers tapping FBI wiretap systems, AI assistants getting hijacked, and your car’s tire sensors moonlighting as surveillance tools.

Nation-state actors from China, North Korea, and Iran were all running active campaigns. Critical vulnerabilities hit Android, Cisco firewalls, and iOS — while global law enforcement struck back, dismantling Tycoon 2FA, seizing LeakBase, and arresting a $46M crypto thief in Saint Martin (the vacation vibes did not help).

The Friday Wrap Up has the full breakdown — scroll down for the details your weekend threat briefing needs. ☕

#Ransomware #DataBreach #Malware #AI #CyberSecurity #ThreatIntelligence #FWU #fridaywrapup #InfoSec

Major Cyberattacks & Incidents

This week’s headline incidents ranged from drone strikes on cloud infrastructure to a jaw-dropping breach of FBI surveillance systems — buckle up.

• 🏛️ Hackers breached an FBI network used to manage wiretaps and foreign intelligence surveillance warrants, raising serious concerns about a potential state-sponsored intrusion into critical law enforcement systems. (Published on 6-Mar-2026, CSO Online). Read More

• 💥 Drone strikes damaged four Amazon Web Services data centers across the UAE and Bahrain, triggering widespread cloud outages across dozens of services and spotlighting the physical vulnerability of critical cloud infrastructure. (Published on 3-Mar-2026, BleepingComputer). Read More

• 🏥 A breach at the University of Hawaii Cancer Center exposed SSNs, driver’s licenses, voter records, and health data for 1.2 million individuals. (Published on 3-Mar-2026, SecurityWeek). Read More

• ⚔️ Iran and allied threat actors launched targeted cyberattacks against U.S. and Israeli infrastructure in retaliation for military operations, seeking to cause economic and physical disruption. (Published on 3-Mar-2026, Dark Reading). Read More

• 💰 A U.S. government contractor’s son was arrested in Saint Martin for allegedly stealing over $46 million in cryptocurrency from the U.S. Marshals Service. (Published on 5-Mar-2026, BleepingComputer). Read More

Espionage & Nation-State Activity

China, North Korea, and Iran were all active this week — a full geopolitical sweep with new tools and fresh targets.

• 🕵️ The FBI warns that Chinese espionage group Salt Typhoon remains an active and broad threat to U.S. telecom infrastructure and both private and public sectors, well beyond its high-profile 2024 campaign. (Published on 19-Feb-2026, CyberScoop). Read More

• 🇰🇵 North Korea’s Contagious Interview campaign published 26 malicious npm packages masquerading as developer tools, using Pastebin as a dead-drop C2 resolver to deploy a cross-platform Remote Access Trojan. (Published on 2-Mar-2026, The Hacker News). Read More

• 🧱 Threat actors leveraged open-source AI platform CyberStrikeAI to conduct automated attacks against Fortinet FortiGate appliances across 55 countries, signaling a troubling new chapter in AI-assisted exploitation at scale. (Published on 3-Mar-2026, The Hacker News). Read More

• 🇮🇷 Iran’s MuddyWater APT deployed a new “Dindoor” backdoor against U.S. banks, airports, non-profits, and the Israeli branch of a U.S. software company as regional tensions spill further into cyberspace. (Published on 6-Mar-2026, Infosecurity). Read More

Malware & Phishing Campaigns

Threat actors got creative this week — from fake conference platforms to poisoned search results and repurposed monitoring tools turned spy software.

• 🎣 A phishing campaign uses a fake Google Account security page to deliver a PWA app that steals MFA codes, harvests crypto wallet addresses, and proxies attacker traffic through the victim’s browser. (Published on 2-Mar-2026, BleepingComputer). Read More

• 📹 Fake Zoom and Google Meet pages trick Windows users into installing Teramind, a legitimate employee monitoring tool repurposed by attackers for covert surveillance via phishing links and fake update prompts. (Published on 2-Mar-2026, Hackread). Read More

• 🔍 Bing search results pointed users to malicious GitHub repositories disguised as OpenClaw installers that silently deployed malware instead of the legitimate AI development tool. (Published on 6-Mar-2026, Malwarebytes). Read More

• 💬 Cybercriminals are rapidly embracing Telegram to sell corporate access, malware-as-a-service subscriptions, and stolen credential logs, transforming the messaging platform into a fast-moving underground marketplace. (Published on 4-Mar-2026, Hackread). Read More

Vulnerabilities & Patches

From zero-click helpdesk exploits to nation-state-grade iOS chains and your car’s tire sensors, this week made clear that attack surfaces keep expanding.

• 📧 A maximum-severity zero-click flaw in the FreeScout helpdesk platform (Mail2Shell) enables unauthenticated remote code execution, allowing complete server takeover without any user interaction. (Published on 4-Mar-2026, BleepingComputer). Read More

• 📱 Google’s March Android update patches 129 vulnerabilities — the largest single-month count since April 2018 — including an actively exploited Qualcomm zero-day. (Published on 2-Mar-2026, CyberScoop). Read More

• 🔥 Cisco disclosed two maximum-severity flaws in its Secure Firewall Management Center software that could allow remote unauthenticated attackers to gain root access and execute arbitrary code. (Published on 5-Mar-2026, CyberScoop). Read More

• 🍎 Google’s GTIG identified Coruna, a sophisticated iOS exploit kit featuring five full exploit chains and 23 vulnerabilities targeting iOS versions 13 through 17.2.1 — though it’s ineffective against current iOS. (Published on 4-Mar-2026, The Hacker News). Read More

• 🚨 CISA added vulnerabilities from the nation-state-grade Coruna iOS exploit kit to its Known Exploited Vulnerabilities catalog, covering 23 flaws spanning iOS 13 through 17.2.1. (Published on 6-Mar-2026, SecurityWeek). Read More

• 🚗 IMDEA Networks researchers found that unencrypted tire pressure sensor signals from Toyota and Mercedes vehicles can be exploited to covertly track drivers’ locations and map daily routines — with no current regulatory protection. (Published on 4-Mar-2026, Hackread). Read More

AI Security

AI tools are quickly becoming both prime targets and active weapons — this week’s stories span vulnerable browser assistants, agentic exploits, and AI-powered attack platforms.

• 🤖 A critical, now-patched flaw in the widely adopted AI agent tool OpenClaw highlights how rapid developer adoption continues to outpace security review, leaving AI-powered workflows exposed. (Published on 2-Mar-2026, Dark Reading). Read More

• 🔮 A vulnerability in Chrome allowed malicious extensions to hijack the Gemini Live AI assistant, enabling attackers to spy on users and exfiltrate files. Google has since patched the flaw. (Published on 2-Mar-2026, SecurityWeek). Read More

• 🗝️ Researchers uncovered PleaseFix vulnerabilities in Perplexity’s Comet AI browser that allow zero-click calendar invites to trigger AI agents into stealing 1Password credentials and personal files. (Published on 5-Mar-2026, Hackread). Read More

Law Enforcement & Takedowns

Global coalitions fought back hard this week, dismantling phishing platforms, seizing underground forums, and arresting those who prey on the most vulnerable.

• 🛡️ A Microsoft-led global coalition seized 330 domains powering the Tycoon 2FA phishing-as-a-service platform, with the alleged creator named in a civil complaint. (Published on 4-Mar-2026, CyberScoop). Read More

• 🗄️ FBI and Europol seized LeakBase, a major cybercrime forum with over 142,000 members that traded stolen credentials and hacking tools, in a coordinated international operation. (Published on 5-Mar-2026, The Hacker News). Read More

• 👮 Europol’s Project Compass dismantled the 764 Network, an online group exploiting minors, resulting in 30 arrests and the rescue of victims — with investigators warning the operation is far from over. (Published on 3-Mar-2026, Hackread). Read More

Policy & Geopolitics

The digital and political worlds continued to collide, with one app store decision signaling a new chapter in U.S.-China tech decoupling.

• 🇺🇸 Apple removed all ByteDance-owned apps from the U.S. App Store following TikTok’s operational transfer, cutting off U.S. users from the company’s Chinese application ecosystem entirely. (Published on 6-Mar-2026, Ars Technica). Read More

Stay informed and secure in the tech and cybersecurity world. Have a great weekend, and remember to patch and protect your systems!

Another Friday, another reason to question whether your apps, APIs, and Zoom calls are working for you — or someone else. 🛡️

This week’s Friday Wrap Up covers ransomware hitting chip makers and medical device companies, China-linked spies repurposing Google Sheets as a command center (productivity hack of the year, unfortunately), North Korea expanding into healthcare ransomware, and a fake Zoom meeting that installs surveillance software before you finish your first sip of coffee.

We’ve also got AI coding tools under the security microscope, a blockchain-backed botnet that laughs at takedowns, and a reminder that those old Google API keys you forgot about? They now open doors to Gemini AI data.

If your threat model doesn’t give you anxiety, you might not be reading the right newsletter. Click below for the full breakdown. 👇

#CyberSecurity #FWU #fridaywrapup #RansomwareWeek #NationStateThreats #DataBreach

Major Cyberattacks & Incidents This week was a buffet of breaches — ransomware hit chip testing and medical devices, while a casino and e-commerce giant rounded out the damage.

• 🏭 Leading semiconductor chip testing firm Advantest suffered a ransomware attack, triggering incident response protocols across operations. (Published on Feb 23, 2026, Infosecurity). Read More

• 🏥 Medical device manufacturer UFP Technologies was hit by ransomware involving both data theft and file-encrypting malware, compromising operations. (Published on Feb 25, 2026, SecurityWeek). Read More

• 💰 PayPal confirmed a six-month data exposure via its Working Capital loan system, leaking names, birthdates, and Social Security numbers. (Published on Feb 23, 2026, Hackread). Read More

• 🎰 Wynn Resorts confirmed employee data theft after appearing on ShinyHunters’ extortion leak site, marking another hospitality sector breach. (Published on Feb 24, 2026, BleepingComputer). Read More

• 🛒 Hackers allegedly stole personal data from 38 million ManoMano users, including names, emails, and phone numbers. (Published on Feb 27, 2026, SecurityWeek). Read More

Malware & Vulnerabilities New malware variants emerged from multiple directions this week — blockchain-backed botnets, trojanized apps, and stealthy Go modules made defenders earn their paychecks.

• ⛏️ A wormable cryptojacking campaign using pirated software deploys a custom XMRig miner with BYOVD exploits and a time-based logic bomb for persistence. (Published on Feb 23, 2026, The Hacker News). Read More

• 📱 ZeroDayRAT, a new Android/iOS malware-as-a-service sold via Telegram, claims full device monitoring, location tracking, and crypto theft capabilities. (Published on Feb 24, 2026, Hackread). Read More

• 👻 Arkanix Stealer, a C++/Python malware exfiltrating browser data and system info, quietly vanished shortly after its brief public debut. (Published on Feb 24, 2026, SecurityWeek). Read More

• ⛓️ The Aeternum C2 botnet uses Polygon blockchain for command-and-control, making traditional takedowns nearly impossible. (Published on Feb 26, 2026, Hackread). Read More

• ☠️ CISA warns RESURGE malware can lay dormant on Ivanti Connect Secure devices, exploiting CVE-2025-0282 with persistence capabilities that survive reboots. (Published on Feb 27, 2026, BleepingComputer). Read More

• 🐍 A malicious Go crypto module masquerades as a legitimate library, harvesting passwords, creating SSH backdoors, and deploying the Rekoobe Linux backdoor. (Published on Feb 27, 2026, The Hacker News). Read More

• 🎮 Trojanized gaming utilities distributed via browsers and chat platforms deploy a Java-based RAT using PowerShell and a malicious JAR file. (Published on Feb 27, 2026, The Hacker News). Read More

• 🧘 Android mental health apps with 14.7 million combined installs contain serious security vulnerabilities exposing sensitive medical data on Google Play. (Published on Feb 23, 2026, BleepingComputer). Read More

Espionage & Data Extraction Nation-state actors kept busy this week — China-linked groups used Google Sheets as a spy tool while North Korea expanded its ransomware reach.

• 🕵️ Google disrupted UNC2814, a China-linked group that breached 53 organizations across 42 countries using the GRIDTIDE backdoor and Google Sheets as covert C2 infrastructure. (Published on Feb 25, 2026, The Hacker News). Read More

• 📊 Chinese hackers repurposed Google Sheets as a covert spy tool to issue commands and harvest PII from telecom and government targets across 42 countries. (Published on Feb 26, 2026, CSO Online). Read More

• 🇰🇵 North Korea’s Lazarus Group expanded into healthcare ransomware via Medusa, targeting US organizations as part of its evolving criminal-espionage hybrid operations. (Published on Feb 24, 2026, Infosecurity). Read More

Major Cyberattacks & Infrastructure Firewalls and SD-WAN vulnerabilities reminded us that edge devices remain prime real estate for attackers this week.

• 🔥 AI-assisted attackers exploited exposed ports and weak credentials to compromise hundreds of FortiGate firewalls, according to AWS research. (Published on Feb 23, 2026, SecurityWeek). Read More

• 🛜 A critical authentication bypass in Cisco Catalyst SD-WAN (CVE-2026-20127) has been actively exploited in zero-day attacks since 2023, allowing attackers to add rogue peers. (Published on Feb 25, 2026, BleepingComputer). Read More

Social Engineering & Phishing Sometimes the most dangerous attack vector is a convincing Zoom invite — this week proved that human behavior remains the hardest vulnerability to patch.

• 📹 A fake Zoom meeting scam silently installs Teramind surveillance software on victims’ systems via an auto-download disguised as a legitimate update. (Published on Feb 25, 2026, CSO Online). Read More

• 🎯 The 1Campaign platform helps threat actors cloak malicious Google Ads, hiding phishing pages from security reviewers while targeting real users. (Published on Feb 27, 2026, Hackread). Read More

Vulnerability Research & Industry Analysis From AI coding tools to decade-old API keys, researchers this week found that trust is a fragile thing in software ecosystems.

• 🤖 Claude Code shows security promise but researchers caution its real-world impact has been overstated despite its stock-market ripple effect. (Published on Feb 26, 2026, Dark Reading). Read More

• 🔑 Google API keys originally embedded for Maps can now authenticate to Gemini AI, accidentally exposing private AI data through previously harmless credentials. (Published on Feb 26, 2026, BleepingComputer). Read More

• 🐙 The RoguePilot flaw in GitHub Codespaces allowed attackers to hijack repositories by injecting malicious Copilot instructions via GitHub Issues, now patched. (Published on Feb 24, 2026, The Hacker News). Read More

• 👑 Qilin ransomware gang dominated January 2026 with over 100 observed attacks, leading a rapidly fragmenting ransomware ecosystem. (Published on Feb 26, 2026, ComputerWeekly). Read More

Law Enforcement & Operations Interpol and African agencies made a dent in cybercrime this week — 651 arrests and $4.3 million recovered is a good Friday.

• 🚔 Operation Red Card 2.0 resulted in 651 arrests across Africa as Interpol and cybersecurity firms collaborated to recover $4.3 million from cybercrime groups. (Published on Feb 25, 2026, Dark Reading). Read More

AI & Policy The line between AI innovation and ethical guardrails got some public attention this week, with employees from competing labs taking a united stand.

• 🤝 Google and OpenAI employees co-signed an open letter supporting Anthropic’s Pentagon stance against mass domestic surveillance and autonomous weaponry. (Published on Feb 27, 2026, TechCrunch). Read More

Stay informed and secure in the tech and cybersecurity world. Have a great weekend, and remember to patch and protect your systems!

Another week, another reminder that the internet is basically a haunted house and someone keeps adding new rooms. 🏚️

This week’s Friday Wrap Up covers data breaches hitting your wallet and your wardrobe, Android malware clever enough to use Google’s own AI against you, Chrome zero-days being actively exploited, fake AI tools fooling a quarter million users, and OAuth phishing attacks that let hackers waltz through MFA like they own the place.

Oh, and your password manager? Researchers had some thoughts. Not great ones.

Drop into the full newsletter for the details your security team will definitely want to see before Monday. 👇

#FWU #fridaywrapup #SupplyChainSecurity #MobileThreatIntelligence #AIandCyber #Malware #Ransomware #DataBreach

Major Cyberattacks & Incidents

This week’s breach roundup spans retail, fintech, and consumer payments — a reminder that no sector is off-limits.

• 🦢 ShinyHunters claims to have stolen 600K Canada Goose customer records containing personal and payment-related data. Canada Goose says it has not confirmed a breach of its own systems but is actively investigating. (Published on 16-Feb-2026, BleepingComputer). Read More

• 🏦 Blockchain fintech firm Figure Technology Solutions suffered a breach exposing nearly 1 million accounts’ personal and contact information, with ShinyHunters leaking over 2GB of stolen data. (Published on 18-Feb-2026, BleepingComputer). Read More

• 💳 PayPal disclosed a data breach caused by a software error in a loan application that exposed customers’ sensitive personal information, including Social Security numbers, for nearly six months. (Published on 20-Feb-2026, BleepingComputer). Read More

• 🖥️ Hackers used fake Social Security Administration emails to hijack ScreenConnect remote access tools, bypassing Windows security to target organizations in the UK, US, and Canada. (Published on 17-Feb-2026, Hackread). Read More

• 🎭 Operation DoppelBrand used spoofed brand identities of major financial institutions like Wells Fargo to run credential theft phishing campaigns targeting corporate employees. (Published on 16-Feb-2026, Infosecurity). Read More

Malware & Vulnerabilities

This week’s malware landscape featured stealthy mobile threats, preinstalled risks, and a developer supply chain compromise.

• 📱 ZeroDayRAT, a new mobile spyware sold on Telegram, enables real-time surveillance and data theft on Android and iOS devices, with dedicated sales and support channels for buyers. (Published on 16-Feb-2026, The Hacker News). Read More

• 📲 Keenadu, a new Android malware, has been found preinstalled on thousands of devices and distributed through Google Play and third-party app stores, posing broad consumer risk. (Published on 18-Feb-2026, SecurityWeek). Read More

• 🕵️ An infostealer campaign is actively targeting OpenClaw users by stealing configuration files, potentially exposing sensitive credentials and operational data stored by the autonomous AI agent. (Published on 17-Feb-2026, Infosecurity). Read More

• 🤖 PromptSpy, the first Android malware to abuse Google’s Gemini AI at runtime, captures lockscreen data, blocks uninstallation, and maintains persistence on the device after reboots. (Published on 19-Feb-2026, The Hacker News). Read More

• ⛓️ A supply chain attack on Cline CLI 2.3.0 used a compromised npm token to stealthily install OpenClaw on developer systems via an unauthorized package update. (Published on 20-Feb-2026, The Hacker News). Read More

Phishing & Social Engineering

Attackers are getting craftier about bypassing security controls users thought they could rely on.

• 🪤 A new device code phishing campaign tricks employees into handing over OAuth tokens granting persistent access to Microsoft 365 accounts, including Outlook, Teams, and OneDrive — without stealing passwords. (Published on 20-Feb-2026, CSO Online). Read More

• 🧩 Thirty fake AI browser extensions tricked over 260,000 Chrome users — and Google itself — into believing they were legitimate tools, highlighting serious gaps in extension vetting. (Published on 16-Feb-2026, Dark Reading). Read More

Vulnerability Research & Industry Analysis

Researchers this week exposed long-standing weaknesses in tools millions rely on daily — from browsers and IDEs to PDF platforms and password managers.

• 🔑 Security researchers challenged end-to-end encryption claims of popular commercial password managers, uncovering vulnerabilities that allow hackers to view and change stored passwords. (Published on 16-Feb-2026, Infosecurity). Read More

• 🌐 Google patched CVE-2026-2441, the first actively exploited Chrome zero-day of 2026, a high-severity use-after-free flaw in Chrome’s CSS component already being exploited in the wild. (Published on 16-Feb-2026, SOC Prime). Read More

• 💻 Critical vulnerabilities found in four VS Code extensions — Live Server, Code Runner, Markdown Preview Enhanced, and one other — with a combined 125 million installs could allow remote code execution and local file theft. (Published on 18-Feb-2026, The Hacker News). Read More

• 📄 Researchers discovered 16 vulnerabilities in Foxit and Apryse PDF tools exploitable via malicious documents or URLs, enabling account takeover and data exfiltration from widely deployed platforms. (Published on 18-Feb-2026, SecurityWeek). Read More

• 🔍 A scan of 5 million JavaScript applications revealed the shocking prevalence of leaked API keys and secrets hidden in front-end bundles, exposing the true scale of a long-understated problem. (Published on 17-Feb-2026, BleepingComputer). Read More

• 🔬 Emerging chiplet-based computing architectures introduce new cybersecurity challenges for AI systems and autonomous vehicles, demanding fresh approaches to securing modular, flexible hardware supply chains. (Published on 20-Feb-2026, Dark Reading). Read More

Espionage & Nation-State Activity

Nation-state threats dominated headlines this week, with Chinese actors at the center of long-running campaigns and legal action.

• 🐉 A Chinese APT group exploited a CVSS 10.0 zero-day vulnerability in Dell RecoverPoint for Virtual Machines for two years before Mandiant publicly disclosed the campaign. (Published on 18-Feb-2026, Infosecurity). Read More

• ⚖️ Texas sued TP-Link Systems, alleging the company deceived consumers by marketing routers as secure while Chinese state-backed hackers exploited firmware vulnerabilities to access users’ devices. (Published on 19-Feb-2026, BleepingComputer). Read More

• 🌍 Long-standing Western cybersecurity alliances are showing signs of fracture as geopolitical shifts cause major nations to rethink collaborative security frameworks built over the past two decades. (Published on 17-Feb-2026, Computer Weekly). Read More

AI & Policy

AI is reshaping the threat landscape from both sides of the fence — as a tool for attackers and a defense mechanism for platforms.

• 🦠 Researchers demonstrated that Microsoft Copilot and xAI Grok can be weaponized as stealthy malware command-and-control proxies, blending malicious traffic into normal enterprise communications. (Published on 17-Feb-2026, The Hacker News). Read More

• 🎲 AI-generated passwords are highly predictable and not truly random, making them significantly easier for cybercriminals to crack than traditional randomly generated passwords. (Published on 19-Feb-2026, Malwarebytes). Read More

• 🧠 Memory, not just GPUs, is becoming the critical bottleneck and cost driver in AI infrastructure, shifting how organizations plan and budget for running large language models at scale. (Published on 17-Feb-2026, TechCrunch). Read More

• 🛡️ Google reported its AI systems prevented 1.75 million malicious apps from reaching Google Play in 2025, demonstrating measurable progress in AI-assisted platform security. (Published on 19-Feb-2026, TechCrunch). Read More

• 🔐 Android 17 Beta debuts a secure-by-default architecture alongside new privacy features and a Canary development channel, raising the baseline security bar for Android devices. (Published on 17-Feb-2026, Infosecurity). Read More

Stay informed and secure in the tech and cybersecurity world. Have a great weekend, and remember to patch and protect your systems!

Another week, another collection of reasons why your security team hasn’t slept properly since 2019. This week’s FWU brings you everything from ransomware gangs cosplaying as employee monitoring software to North Korean job applicants who are definitely not who they claim to be on LinkedIn (looking at you, “Senior DevOps Engineer”).

We’ve got cloud infrastructure being turned into crime bots, Olympic ice dancers accidentally committing AI plagiarism, and the eternal question: “Is that zero-day actively exploited?” (Spoiler: yes, probably within 24 hours of the PoC dropping).

Plus, if you’ve ever wondered what happens when someone hijacks an abandoned Outlook add-in with a 4.71-star rating, the answer is: 4,000 people learn an important lesson about marketplace trust models.

Dive in for your weekly dose of “things that keep CISOs up at night” ⬇️

#FWU #fridaywrapup #ZeroDayMadness #SupplyChainChaos #CloudCrimeWave #Ransomware #DataBreach #Malware

Major Cyberattacks & Incidents

This week delivered multiple high-impact breaches and exploitation campaigns targeting enterprise infrastructure.

• 🚨 Hackers exploit SolarWinds Web Help Desk vulnerabilities to deploy Velociraptor forensic tools for persistence and remote control on compromised systems. (Published on 9-Feb-2026, BleepingComputer). Read More

• ⚠️ Nearly 100 organizations compromised through Ivanti zero-day vulnerabilities, with Shadowserver identifying 86 affected instances across multiple threat groups. (Published on 9-Feb-2026, CyberScoop). Read More

• ☁️ TeamPCP threat actor compromises cloud infrastructure at scale using automated worm-like attacks against exposed services and interfaces. (Published on 9-Feb-2026, Dark Reading). Read More

• 🏥 ApolloMD data breach exposes personal information of 626,000 patients from affiliated physicians and medical practices. (Published on 12-Feb-2026, SecurityWeek). Read More

• 🚗 Conduent breach now affects 25 million individuals, including nearly 17,000 Volvo Group employees whose data was exposed in the expanding incident. (Published on 11-Feb-2026, SecurityWeek). Read More

Malware & Vulnerabilities

Critical flaws and sophisticated malware campaigns dominated the vulnerability landscape this week.

• 🔴 Microsoft patches six actively exploited zero-days in February 2026 Patch Tuesday, addressing roughly 60 vulnerabilities across company products. (Published on 10-Feb-2026, SecurityWeek). Read More

• 📱 ZeroDayRAT emerges as new mobile spyware targeting both Android and iOS devices, providing attackers with persistent access capabilities. (Published on 10-Feb-2026, Infosecurity). Read More

• 🎣 Lumma Stealer rebounds with ClickFix lures and Castleloader malware, installing the information stealer at scale after previous disruption. (Published on 11-Feb-2026, Ars Technica). Read More

• 🔧 BeyondTrust critical RCE vulnerability targeted by hackers within 24 hours of proof-of-concept release for unauthenticated remote code execution. (Published on 13-Feb-2026, SecurityWeek). Read More

• 🏛️ CISA orders federal agencies to patch critical Microsoft Configuration Manager vulnerability from October 2024 now actively exploited in attacks. (Published on 13-Feb-2026, BleepingComputer). Read More

• 📧 Abandoned Outlook add-in AgreeTo hijacked through orphaned subdomain to phish 4,000 Microsoft Office Store users through verified marketplace listing. (Published on 12-Feb-2026, CSO Online). Read More

Espionage & Data Extraction

Nation-state actors and sophisticated threat groups launched targeted espionage campaigns across multiple platforms.

• 🎭 North Korean operatives impersonate professionals using real LinkedIn accounts with verified emails and identity badges for fraudulent remote job applications. (Published on 10-Feb-2026, The Hacker News). Read More

• 📲 Hackers use Signal QR codes and fake support scams to conduct surveillance on military and political leaders, German agencies warn. (Published on 9-Feb-2026, Hackread). Read More

• 📦 Lazarus Group plants malicious packages in npm and PyPI repositories as part of fake recruitment campaign active since May 2025. (Published on 12-Feb-2026, The Hacker News). Read More

• 🎯 APT36 and SideCopy deploy cross-platform RATs targeting Indian defense and government organizations, compromising Windows and Linux environments. (Published on 11-Feb-2026, The Hacker News). Read More

• 💼 UAT-9921 threat actor deploys VoidLink modular framework targeting technology and financial sectors, active since 2019 according to Cisco Talos. (Published on 13-Feb-2026, The Hacker News). Read More

Ransomware & Criminal Operations

Ransomware groups adopt new tactics including legitimate tool abuse and coordinated bluster campaigns.

• 🔒 Crazy ransomware gang abuses employee monitoring software and SimpleHelp remote tool to maintain persistence and evade detection before deploying ransomware. (Published on 11-Feb-2026, BleepingComputer). Read More

• ⚡ 0APT ransomware group emerges with massive victim claims potentially being hoax, but demonstrates genuine technical capabilities and attack threats. (Published on 11-Feb-2026, CyberScoop). Read More

AI & Policy

Artificial intelligence security concerns and policy developments took center stage with marketplace safeguards and threat warnings.

• 🛡️ OpenClaw integrates VirusTotal malware scanning for ClawHub marketplace after security firms identify malicious extensions and unauthorized enterprise deployments. (Published on 9-Feb-2026, CSO Online). Read More

• ⛸️ Czech ice dancers learn LLMs can produce plagiarism when their AI-generated Olympic music contains copyrighted content from original sources. (Published on 10-Feb-2026, TechCrunch). Read More

• 🤖 Google warns hackers abuse Gemini AI across all attack stages, highlighting AI model extraction attacks where actors probe models to replicate logic. (Published on 12-Feb-2026, BleepingComputer). Read More

• 💰 RentAHuman experiment reveals AI agents hiring humans for gig work to promote AI startups in meatspace, raising questions about AI labor dynamics. (Published on 13-Feb-2026, Ars Technica). Read More

• 🌍 Munich Security Conference reveals G7 countries rank cyber-attacks as top risk while BICS members place cyber threats eighth on priority list. (Published on 13-Feb-2026, Infosecurity). Read More

Stay informed and secure in the tech and cybersecurity world. Have a great weekend, and remember to patch and protect your systems!

Another week, another supply chain nightmare. 🎢

This week’s cybersecurity roundup features everything from compromised software updates (yes, even Notepad++) to record-breaking DDoS attacks that would make your infrastructure cry. We’ve got nation-state actors playing Olympics spoiler, fintech firms losing millions of records, and AI agents getting their own social network (because apparently they need friends too).

Whether you’re defending against WinRAR exploits or wondering if your antivirus just became your biggest threat, this week had something for everyone.

Check out the full breakdown below – your threat intel fix is served. ⬇️

#CyberBreaches #ThreatIntelligence #SupplyChainSecurity #FWU #fridaywrapup

Espionage & Data Extraction

Nation-state actors dominated headlines this week with sophisticated supply chain attacks and targeted espionage campaigns.

• 🎯 Chinese state hackers hijacked Notepad++’s update feature for months, compromising users through a trusted software channel. (Published on 2-Feb-2026, BleepingComputer). Read More

• 🐉 APT28 deployed espionage-focused malware exploiting Microsoft Office CVE-2026-21509 in targeted attacks against high-value systems. (Published on 3-Feb-2026, The Hacker News). Read More

• 🎿 Italy successfully thwarted Russian-linked cyberattacks targeting Winter Olympics websites, according to the Foreign Minister. (Published on 5-Feb-2026, SecurityWeek). Read More

• 🔪 China-linked DKnife AitM framework targets routers for traffic hijacking and malware delivery through advanced man-in-the-middle techniques. (Published on 6-Feb-2026, The Hacker News). Read More

• 📦 Amaranth-Dragon exploits WinRAR vulnerability in sophisticated espionage campaigns targeting sensitive organizational data. (Published on 4-Feb-2026, The Hacker News). Read More

Major Cyberattacks & Incidents This week saw multiple high-profile breaches affecting millions of users across various sectors.

• 🔐 ShinyHunters-branded extortion activity expands dramatically with escalating threats against compromised organizations worldwide. (Published on 2-Feb-2026, SecurityWeek). Read More

• 🥖 Hackers leaked 5.1 million Panera Bread customer records exposing personal information in a massive data breach. (Published on 3-Feb-2026, SecurityWeek). Read More

• 💰 Fintech firm Betterment suffered a data breach exposing 1.4 million customer accounts and sensitive financial information. (Published on 5-Feb-2026, BleepingComputer). Read More

• 📧 Newsletter platform Substack notified users of a data breach compromising subscriber information and account credentials. (Published on 5-Feb-2026, BleepingComputer). Read More

• ☁️ Exposed AWS credentials enabled AI-assisted cloud breach in just 8 minutes, demonstrating automation’s threat potential. (Published on 4-Feb-2026, Hackread). Read More

Malware & Vulnerabilities

Critical vulnerabilities and sophisticated malware strains continued to challenge security teams globally.

• 🛡️ eScan Antivirus update servers were compromised to deliver multi-stage malware to unsuspecting users trusting legitimate updates. (Published on 2-Feb-2026, The Hacker News). Read More

• 💬 Stealthy Windows RAT discovered holding live conversations with operators, enabling real-time command and control capabilities. (Published on 2-Feb-2026, CSO Online). Read More

• ⚛️ Hackers exploited critical React Native Metro bug to breach developer systems through supply chain attacks. (Published on 3-Feb-2026, BleepingComputer). Read More

• 🪱 GlassWorm malware returns to shatter developer ecosystems with enhanced capabilities targeting software supply chains. (Published on 3-Feb-2026, Dark Reading). Read More

• ⚠️ Critical n8n workflow automation flaws disclosed publicly along with working exploits posing immediate risk. (Published on 4-Feb-2026, BleepingComputer). Read More

• 🍎 macOS users targeted by Python infostealers disguised as legitimate AI installer packages stealing credentials and data. (Published on 5-Feb-2026, Hackread). Read More

• ☀️ Fresh SolarWinds vulnerability actively exploited in attacks targeting enterprise infrastructure and management systems. (Published on 4-Feb-2026, SecurityWeek). Read More

• 📦 New hacking campaign exploits Microsoft Windows WinRAR vulnerability in widespread attacks against Windows users. (Published on 5-Feb-2026, Infosecurity). Read More

• 🌐 Chinese-made malware kit targets Chinese-based routers and edge devices in coordinated infrastructure attacks. (Published on 6-Feb-2026, Infosecurity). Read More

• 🪝 17% of third-party OpenClaw add-ons used in cryptocurrency theft and macOS malware distribution campaigns. (Published on 6-Feb-2026, Hackread). Read More

DDoS, Outages & Infrastructure

Record-breaking attacks and persistent botnets tested infrastructure resilience worldwide.

• 💥 AISURU/Kimwolf botnet launched record-setting 31.4 Tbps DDoS attack, breaking previous volumetric attack records. (Published on 5-Feb-2026, The Hacker News). Read More

• 🤖 Global SystemBC botnet discovered active across 10,000 infected systems facilitating proxy services and malware delivery. (Published on 4-Feb-2026, Infosecurity). Read More

AI & Policy

Regulatory developments and AI security research shaped policy discussions this week.

• 🛡️ NSA published new Zero Trust implementation guidelines providing comprehensive framework for secure architecture deployment. (Published on 2-Feb-2026, Infosecurity). Read More

• 🤖 Moltbook emerges as social platform where AI agents communicate while humans observe interactions passively. (Published on 3-Feb-2026, Hackread). Read More

• 🚨 CISA orders federal agencies to replace end-of-life edge devices eliminating unpatched vulnerabilities from networks. (Published on 6-Feb-2026, BleepingComputer). Read More

• 🔍 Claude AI discovered 500 high-severity software vulnerabilities demonstrating AI’s potential in vulnerability research. (Published on 6-Feb-2026, CSO Online). Read More

Stay informed and secure in the tech and cybersecurity world. Have a great weekend, and remember to patch and protect your systems!

Another week, another avalanche of cyber chaos! From dating apps getting breached (swipe left on that security posture) to 1.5 million devs accidentally installing code-stealing VS Code extensions, it’s been a wild ride.

This week’s highlights: ShinyHunters went on a shopping spree, North Korean hackers are forming splinter groups like a K-pop band, and apparently 175,000 AI servers are just... out there... exposed. Also, half your employees are using shadow AI tools, and your C-suite is leading the charge.

Check out the full breakdown for all the gory details, zero-days, and infrastructure takedowns that made this week memorable (for all the wrong reasons).

#CyberThreats #InfoSecCommunity #ThreatIntelligence #Malware #DataBreach #Ransomware #FWU #fridaywrapup

Major Cyberattacks & Incidents

This week saw multiple high-profile breaches spanning dating apps to business intelligence platforms.

• 💔 Dating apps Match, Hinge, and OkCupid, along with Panera Bread, were breached by ShinyHunters ransomware group, exposing millions of customer records with varying impact levels. (Published on 30-Jan-2026, Malwarebytes). Read More

• 📊 Crunchbase confirmed a data breach after ShinyHunters’ hacking campaign targeted multiple platforms including SoundCloud and Betterment, compromising business intelligence data. (Published on 26-Jan-2026, SecurityWeek). Read More

• 🎣 ShinyHunters expanded operations to target over 100 organizations using vishing tactics and fake login pages to bypass SSO security and steal corporate data. (Published on 27-Jan-2026, Hackread). Read More

Malware & Vulnerabilities

Attackers deployed sophisticated malware campaigns across multiple platforms, from developer tools to mobile apps.

• 💻 Two malicious Visual Studio Code AI extensions with 1.5 million combined installs masqueraded as coding assistants while secretly exfiltrating developer source code to China-based servers. (Published on 26-Jan-2026, The Hacker News). Read More

• 🖱️ ClickFix attacks evolved using fake CAPTCHAs combined with signed Microsoft App-V scripts to distribute Amatera infostealer, avoiding common detection patterns through sophisticated execution methods. (Published on 27-Jan-2026, The Hacker News). Read More

• 🏧 Federal authorities charged 31 additional suspects linked to ATM jackpotting operations allegedly orchestrated by Venezuelan gang Tren de Aragua using specialized malware. (Published on 27-Jan-2026, BleepingComputer). Read More

• 🍎 Mac users face increased risk as malicious Google Ads direct searches for legitimate software to fake Mac Cleaner pages distributing malware. (Published on 29-Jan-2026, Hackread). Read More

• 📱 Arsink spyware spread across 143 countries by disguising itself as WhatsApp, YouTube, Instagram, and TikTok, targeting Android users in another widespread mobile malware campaign. (Published on 30-Jan-2026, Hackread). Read More

• 🌐 Researchers discovered malicious Chrome extensions hijacking affiliate links, stealing data, and collecting OpenAI ChatGPT authentication tokens, including a fake Amazon Ads Blocker. (Published on 30-Jan-2026, The Hacker News). Read More

Critical Vulnerabilities & Zero-Days

Critical security flaws and exploited vulnerabilities demand immediate attention from security teams.

• ⚠️ Ivanti disclosed two critical vulnerabilities in Endpoint Manager Mobile (CVE-2026-1281 and CVE-2026-1340) actively exploited in zero-day attacks against enterprise systems. (Published on 29-Jan-2026, BleepingComputer). Read More

• 📡 Nearly 800,000 Telnet servers remain exposed to remote attacks as threat actors exploit a critical authentication bypass vulnerability in GNU InetUtils telnetd server. (Published on 26-Jan-2026, BleepingComputer). Read More

• 🔓 Critical sandbox escape vulnerability in Grist-Core enables remote code execution via malicious formulas, highlighting risks in Pyodide-based security implementations. (Published on 27-Jan-2026, Infosecurity). Read More

Espionage & Data Extraction

State-sponsored threat actors continue evolving their tactics and operational structures.

• 🐉 Chinese espionage group Mustang Panda upgraded its CoolClient backdoor to steal browser login credentials and monitor clipboard activity in targeted surveillance operations. (Published on 27-Jan-2026, BleepingComputer). Read More

• 🇰🇵 Long-running North Korean threat group with Lazarus lineage has split into three distinct operations focused on espionage and cryptocurrency theft, according to CrowdStrike research. (Published on 29-Jan-2026, CyberScoop). Read More

Infrastructure & Operations

Google disrupted a massive malicious proxy network affecting millions of devices globally.

• 🛡️ Google disrupted IPIDEA proxy network, one of the largest residential proxy operations that enrolled devices through SDKs for mobile and desktop applications. (Published on 29-Jan-2026, SecurityWeek). Read More

• 🌍 Google’s action removed millions of compromised devices from IPIDEA’s infrastructure, though not completely, highlighting ongoing challenges in dismantling cybercriminal proxy networks. (Published on 30-Jan-2026, CyberScoop). Read More

AI & Policy

AI security concerns expand as organizations grapple with exposed infrastructure and shadow AI adoption.

• 🤖 Investigation uncovered 175,000 publicly accessible Ollama AI servers across 130 countries operating outside managed infrastructure, creating massive unmanaged AI compute exposure. (Published on 29-Jan-2026, The Hacker News). Read More

• 👥 Nearly half of employees use unsanctioned AI tools, with 69% of executives prioritizing speed over security as shadow AI proliferates across enterprises. (Published on 30-Jan-2026, CSO Online). Read More

Cybersecurity Policy & Industry

Stakeholders collaborate on voluntary frameworks to address emerging security challenges.

• 🤝 Industry leaders, government agencies, and nonprofits held weekend discussions advancing voluntary rules for commercial hacking tools under the Pall Mall Process framework. (Published on 26-Jan-2026, CyberScoop). Read More

Social Engineering & Phishing

Attackers continue exploiting trusted platforms for credential theft.

• 📧 Scammers abused Microsoft Teams invitations to send 12,866 fake billing notice emails reaching approximately 6,135 users in phone-based phishing campaign. (Published on 26-Jan-2026, Hackread). Read More

Stay informed and secure in the tech and cybersecurity world. Have a great weekend, and remember to patch and protect your systems!

Another week, another mountain of security incidents to digest. From Fortinet’s double-feature vulnerability showcase to AI systems getting tricked into leaking your calendar (thanks, Gemini!), the headlines remind us that “fully patched” is more of a suggestion than a guarantee.

Highlights? Tesla got pwned for half a million dollars, Microsoft blamed a “coding error” for Outlook crashes (aren’t they all?), and Curl is officially done with AI-generated bug bounty spam. Somewhere, a developer shed a single tear.

The real MVP: Mandiant basically saying “if you’re still using NTLMv1, here’s how to crack it—maybe that’ll motivate you.”

Read the full Friday Wrap Up below for categorized summaries, zero-day drama, and why your firewall configs might already be someone else’s weekend reading.

#FWU #fridaywrapup #CyberSecurity #InfoSec #ZeroDay #ThreatIntel #AIGoneWild

Major Cyberattacks & Incidents

This week saw significant breaches spanning IT giants, automotive systems, and retail sectors.

• 🚨 Ingram Micro disclosed that a July 2025 ransomware attack exposed data of 42,000 current and former employees, including SSNs and birth dates. (Published on 19-Jan-2026, BleepingComputer). Read More

• ⚠️ RansomHouse claims data breach at Apple contractor Luxshare, though no evidence has been released and links remain offline. (Published on 20-Jan-2026, Hackread). Read More

• 🏆 Security researchers hacked Tesla’s Infotainment System and earned $516,500 exploiting 37 zero-days on day one of Pwn2Own Automotive 2026. (Published on 21-Jan-2026, BleepingComputer). Read More

• 🎣 Milano-Cortina 2026 Winter Olympics faces cyber threats with phishing and spoofed websites identified as primary attack vectors. (Published on 21-Jan-2026, Infosecurity). Read More

• 🔑 LastPass users targeted by backup-themed phishing emails, likely timed to exploit US holiday weekend for increased success rates. (Published on 21-Jan-2026, SecurityWeek). Read More

• 🔥 Automated attacks targeting Fortinet FortiGate devices create rogue accounts and steal firewall configuration data, according to Arctic Wolf. (Published on 22-Jan-2026, BleepingComputer). Read More

• 👕 Under Armour investigating data breach affecting customers’ email addresses and other personal information, incident details still emerging. (Published on 23-Jan-2026, SecurityWeek). Read More

• âš–ï¸ Russian national Ianis Antropenko pleaded guilty to leading ransomware crew in four-year crime spree affecting 50+ victims, faces 25 years. (Published on 22-Jan-2026, CyberScoop). Read More

Malware & Vulnerabilities Critical flaws and sophisticated malware dominated security disclosures this week.

• 🕵️ XSS vulnerability in StealC malware control panel allowed researchers to monitor threat actor operations and collect system fingerprints. (Published on 19-Jan-2026, The Hacker News). Read More

• 📷 TP-Link patched vulnerability in VIGI cameras allowing remote hacking, with over 2,500 internet-exposed devices discovered by researchers. (Published on 19-Jan-2026, SecurityWeek). Read More

• 📄 PDFSIDER malware discovered using advanced anti-VM checks and hidden techniques for long-term covert system access. (Published on 19-Jan-2026, Infosecurity). Read More

• 🔧 Three security vulnerabilities disclosed in Anthropic’s MCP Git server enable arbitrary file access and code execution via prompt injection. (Published on 20-Jan-2026, The Hacker News). Read More

• ☁️ Cloudflare fixed ACME validation bug allowing attackers to bypass WAF controls and directly access origin servers. (Published on 20-Jan-2026, The Hacker News). Read More

• 🤖 VoidLink Linux malware framework, built with AI assistance by single developer, reached 88,000 lines of sophisticated code. (Published on 21-Jan-2026, The Hacker News). Read More

• 🔐 GitLab patched high-severity 2FA bypass vulnerability affecting both community and enterprise editions of its development platform. (Published on 21-Jan-2026, BleepingComputer). Read More

• ⚡ Cisco released critical patches for zero-day CVE-2026-20045 actively exploited in Unified CM and Webex Calling Dedicated Instance. (Published on 22-Jan-2026, The Hacker News). Read More

• 🏡 RealHomes CRM plugin vulnerability affected 30,000+ WordPress sites by allowing malicious file uploads; patches now released. (Published on 22-Jan-2026, Infosecurity). Read More

• 🛡️ Fortinet confirms active FortiCloud SSO bypass exploitation on fully-patched FortiGate firewalls, working on complete fix. (Published on 23-Jan-2026, The Hacker News). Read More

Cybersecurity Tools & Techniques Google’s Mandiant took an unconventional approach to forcing security upgrades.

• 🌈 Mandiant released NTLMv1 rainbow table lookup to demonstrate protocol’s insecurity, enabling credential recovery in 12 hours on $600 hardware. (Published on 19-Jan-2026, CSO Online). Read More

Vulnerability Research & Industry Analysis Researchers showcased both offensive capabilities and defensive innovations.

• 💰 Pwn2Own Automotive 2026 concluded with researchers earning $1,047,000 for exploiting 76 zero-day vulnerabilities across three days. (Published on 23-Jan-2026, BleepingComputer). Read More

• ⚙️ Austrian researchers optimized Linux page cache attacks, reviving old exploit techniques with dramatically improved speed and efficiency. (Published on 22-Jan-2026, SecurityWeek). Read More

AI & Policy Artificial intelligence created both security challenges and operational headaches this week.

• 🤖 Google Gemini bypassed via natural language prompt injection, allowing attackers to create misleading Calendar events and leak private data. (Published on 20-Jan-2026, BleepingComputer). Read More

• 🇪🇺 EU proposes mandatory 5G cybersecurity measures targeting high-risk telecom suppliers, widely seen as aimed at Chinese vendors. (Published on 20-Jan-2026, SecurityWeek). Read More

• 🚫 Curl developer ending HackerOne bug bounty program after overwhelming flood of low-quality AI-generated vulnerability reports. (Published on 22-Jan-2026, BleepingComputer). Read More

DDoS, Outages & Infrastructure Microsoft acknowledged a stability issue affecting mobile users.

• 📱 Microsoft confirmed Outlook for iOS crashes and freezes on iPad devices due to coding error, fix in progress. (Published on 23-Jan-2026, BleepingComputer). Read More

Stay informed and secure in the tech and cybersecurity world. Have a great weekend, and remember to patch and protect your systems!

🎢 This week’s cybersecurity rollercoaster: where Wi-Fi crashes with one packet, Chrome extensions cosplay as your HR portal, and ZIP files contain more layers than a lasagna made by someone with commitment issues.

The big picture? Attackers are getting sophisticated (looking at you, Predator spyware that learns from failure), infrastructure is falling over (RIP Verizon, enjoy your $20), and apparently two missing characters almost took down AWS. Two. Characters.

Meanwhile, cybercrime groups are running tighter operations than most Fortune 500 companies, complete with KPIs and customer support. The irony is painful.

Check out the full wrap-up for all the gory details on this week’s digital chaos.

#CyberSecurity #ThreatIntelligence #InfoSec #Malware #Ransomware #DataBreach #FWU #fridaywrapup

Malware & Vulnerabilities

This week’s vulnerability buffet features everything from Chrome extensions masquerading as HR tools to Wi-Fi bugs that can knock your network offline with a single packet.

• 🎭 Fake n8n workflow packages on npm tricked developers into revealing OAuth credentials by posing as legitimate Google Ads integrations. (Published on 12-Jan-2026, The Hacker News). Read More

• 📸 Instagram patched a password reset flaw that let third parties spam users with reset emails and potentially leak user data. (Published on 12-Jan-2026, SecurityWeek). Read More

• 🐧 VoidLink malware framework discovered targeting Linux cloud servers with custom loaders, rootkits, and plugins designed for modern cloud environments. (Published on 13-Jan-2026, BleepingComputer). Read More

• 📡 Broadcom Wi-Fi chipset flaw allows attackers to crash 5GHz networks with one malicious frame, requiring manual router reboots to restore connectivity. (Published on 13-Jan-2026, CSO Online). Read More

• 🤖 ServiceNow patched critical AI Platform vulnerability (CVE-2025-12420) that allowed unauthenticated attackers to impersonate users and perform arbitrary actions. (Published on 13-Jan-2026, The Hacker News). Read More

• 🪟 Microsoft’s January Patch Tuesday addressed 112 vulnerabilities, including one actively exploited Windows zero-day disclosed publicly before patches were available. (Published on 13-Jan-2026, SecurityWeek). Read More

• 🎣 Browser-in-the-browser phishing attacks surge, tricking Facebook users into surrendering login credentials through convincing fake authentication windows. (Published on 13-Jan-2026, Infosecurity). Read More

• 💰 Fake PayPal payment notices deployed remote monitoring tools to steal credentials and maintain persistent access to victim systems. (Published on 14-Jan-2026, Infosecurity). Read More

• 🔥 Palo Alto Networks patched high-severity DoS vulnerability letting unauthenticated attackers disable firewall protections remotely. (Published on 15-Jan-2026, BleepingComputer). Read More

• 🤖 Microsoft Copilot vulnerability allowed “Reprompt” attack to silently exfiltrate session data even after chat windows were closed. (Published on 15-Jan-2026, SecurityWeek). Read More

• ☁️ AWS CodeBuild misconfiguration exposed core repositories to potential supply chain attacks affecting the entire AWS Console. (Published on 15-Jan-2026, Infosecurity). Read More

• 📧 Cisco patched maximum-severity AsyncOS zero-day exploited in attacks targeting Secure Email Gateway appliances since November 2025. (Published on 16-Jan-2026, BleepingComputer). Read More

• 🌐 Five malicious Chrome extensions impersonated Workday, NetSuite, and SuccessFactors to steal authentication tokens and hijack enterprise accounts. (Published on 16-Jan-2026, The Hacker News). Read More

• 📦 GootLoader malware now concatenates 500-1,000 ZIP archives to create malformed files that evade detection by most unarchiving tools. (Published on 16-Jan-2026, The Hacker News). Read More

Major Cyberattacks & Incidents

Canadian financial regulators join the breach club with three-quarters of a million records exposed.

• 🇨🇦 Canadian Investment Regulatory Organization suffered data breach impacting personal information of 750,000 member firms and registered employees. (Published on 16-Jan-2026, SecurityWeek). Read More

Espionage & Data Extraction A

dvanced spyware learns from its failures, turning unsuccessful attacks into reconnaissance for future exploits.

• 🕵️ Predator spyware revealed to possess sophisticated anti-analysis features, converting failed attack attempts into intelligence for future zero-day exploits. (Published on 14-Jan-2026, SecurityWeek). Read More

Cybersecurity Tools & Techniques

This week defenders fought back, null-routing botnets and dismantling cybercrime infrastructure through coordinated legal action.

• 🤖 Black Lotus Labs null-routed over 550 command-and-control nodes for AISURU/Kimwolf botnet since October, disrupting massive DDoS infrastructure. (Published on 14-Jan-2026, The Hacker News). Read More

• ⚖️ Microsoft’s coordinated legal action in US and UK disrupted RedVDS cybercrime subscription service linked to millions in fraud losses. (Published on 15-Jan-2026, The Hacker News). Read More

DDoS, Outages & Infrastructure

Verizon’s nationwide outage left millions phoneless, but at least they’re getting $20 credits for their trouble.

• 📱 Verizon Wireless suffered massive nationwide outage leaving customers in SOS mode without cellular service across the US. (Published on 14-Jan-2026, BleepingComputer). Read More

• 💵 Verizon began issuing $20 account credits via text message following last week’s nationwide wireless outage. (Published on 16-Jan-2026, BleepingComputer). Read More

Vulnerability Research & Industry Analysis

Deep dives into how cybercrime has become more organized than most IT departments, and why npm has become ground zero for supply chain attacks.

• 🏢 Cybercrime groups now operate with corporate-level structure, offering ransomware-as-a-service with support forums, KPIs, and profit-sharing models. (Published on 14-Jan-2026, CSO Online). Read More

• 📦 npm supply chain attacks evolved from simple typosquatting to coordinated credential theft campaigns targeting maintainers and CI/CD pipelines. (Published on 15-Jan-2026, CSO Online). Read More

• ☁️ Two missing characters in AWS CodeBuild configuration nearly compromised entire AWS Console in critical supply chain vulnerability. (Published on 16-Jan-2026, Hackread). Read More

AI & Policy

Tech giants team up while regulators crack down on deepfakes and data brokers.

• 🤝 Apple confirmed multi-year partnership with Google to power next-generation Siri using Gemini AI and Google Cloud infrastructure. (Published on 12-Jan-2026, BleepingComputer). Read More

• 🏥 California CPPA cracked down on unregistered data brokers illegally trading personal health data without proper authorization. (Published on 12-Jan-2026, Infosecurity). Read More

• 🇬🇧 UK regulator Ofcom launched investigation into X (formerly Twitter) for allegedly facilitating nonconsensual deepfake pornography of adults and children. (Published on 12-Jan-2026, CyberScoop). Read More

Stay informed and secure in the tech and cybersecurity world. Have a great weekend, and remember to patch and protect your systems!

Another week, another wave of vulnerabilities keeping us on our toes!

From nation-state hackers conducting global credential harvesting campaigns to fake AI Chrome extensions stealing nearly a million users’ data, this week proved cybersecurity professionals earn every bit of their coffee budget. Critical n8n vulnerabilities reached CVSS scores that made even hardened defenders nervous, while Chinese Salt Typhoon intrusions keep expanding in scope. Meanwhile, Disney learned that YouTube privacy violations cost $10M—turns out COPPA compliance isn’t optional.

The hospitality sector got hammered by sophisticated ClickFix campaigns, Android botnets grew to 2 million devices, and WhatsApp became an unlikely malware distribution vector in Brazil. On the defensive side, researchers turned the tables with a honeypot that successfully snared Scattered Lapsus$ operators, proving that sometimes the best defense is a really convincing fake dataset.

Patch your systems, enable that MFA, and maybe check if those Chrome extensions are actually legitimate. Your Friday reminder that threat actors never take the weekend off—so neither should your security posture.

#ThreatIntelligence #InfoSec #CyberSecurity #Malware #DataBreach #Ransomware #FWU #FridayWrapUp

Major Cyberattacks & Incidents

This week’s breach landscape spans VPN services, hospitality targets, and gas station operations.

• 🛡️ NordVPN denied breach allegations after attackers claimed access to internal Salesforce servers, stating cybercriminals obtained dummy data from a third-party testing platform trial account. (Published on 5-Jan-2026, BleepingComputer). Read More

• 🎯 Sophisticated ClickFix campaign targets hospitality sector with fake Booking.com reservation cancellations and fake BSODs, tricking victims into executing malicious code that delivers RAT infections. (Published on 6-Jan-2026, SecurityWeek). Read More

• 🏨 Multi-stage PHALT#BLYX ClickFix malware campaign hits hospitality organizations using social engineering tactics and MSBuild.exe abuse to compromise systems and deploy remote access trojans. (Published on 6-Jan-2026, Infosecurity). Read More

• 🔐 ownCloud urgently recommends enabling multi-factor authentication after receiving reports of credential theft, warning users that compromised credentials could enable unauthorized data access by attackers. (Published on 7-Jan-2026, BleepingComputer). Read More

• ⛽ Texas-based Gulshan Management Services, operating Handi Plus and Handi Stop gas stations, disclosed a ransomware-triggered data breach impacting over 377,000 individuals’ personal information. (Published on 7-Jan-2026, Hackread). Read More

• ⛽ Gulshan Management Services reported a ransomware attack led to data breach affecting 377,000 people associated with their Texas gas station operations across 150 locations. (Published on 9-Jan-2026, SecurityWeek). Read More

Malware & Vulnerabilities

Critical flaws and emerging threats dominated patching priorities this week.

• 🐍 VVS Stealer, a Python-based information stealer sold on Telegram since April 2025, harvests Discord credentials and tokens using Pyarmor-obfuscated code to evade detection. (Published on 5-Jan-2026, The Hacker News). Read More

• 📱 Kimwolf Android botnet grows to 2 million compromised devices, monetizing through DDoS attacks, fraudulent app installations, and selling proxy bandwidth via residential proxy networks. (Published on 5-Jan-2026, SecurityWeek). Read More

• 🌐 RondoDox botnet expands operations by exploiting React2Shell vulnerability, targeting Next.js servers with cryptomining payloads, botnet infections, and other malicious activity threatening IoT and enterprises. (Published on 5-Jan-2026, Dark Reading). Read More

• 🤖 High-severity flaw in Open WebUI Direct Connections (used for AI integrations) creates risk for account takeover and server compromises requiring immediate attention. (Published on 6-Jan-2026, Infosecurity). Read More

• ⚠️ Critical n8n vulnerability (CVE-2025-68668, CVSS 9.9) enables authenticated attackers to execute arbitrary system commands on the underlying host in the workflow automation platform. (Published on 6-Jan-2026, The Hacker News). Read More

• 🌐 Legacy D-Link DSL gateway routers face active exploitation of newly discovered command injection vulnerability, affecting multiple out-of-support models with no patches available. (Published on 6-Jan-2026, BleepingComputer). Read More

• 💾 Veeam patched critical remote code execution vulnerability allowing operator-level users to execute commands with database administrator privileges in Backup & Replication software. (Published on 7-Jan-2026, CyberScoop). Read More

• 🔌 Malicious Chrome extensions with 900,000 combined downloads caught impersonating legitimate AITOPIA extension, exfiltrating users’ AI chat conversations and browser activity to attacker infrastructure. (Published on 7-Jan-2026, SecurityWeek). Read More

• 💳 Ghost Tap Android malware enables remote NFC payment fraud, allowing unauthorized tap-to-pay transactions without physical access to victims’ bank cards or devices. (Published on 7-Jan-2026, Infosecurity). Read More

• 💬 WhatsApp worm spreads Astaroth banking trojan across Brazil by retrieving victims’ contact lists and automatically sending malicious messages to propagate the Windows malware. (Published on 8-Jan-2026, The Hacker News). Read More

• 🚨 CISA added Microsoft Office (CVE-2009-0556) and HPE OneView vulnerabilities to Known Exploited Vulnerabilities catalog after detecting active exploitation in the wild. (Published on 8-Jan-2026, The Hacker News). Read More

• ⚠️ Second critical n8n vulnerability (CVE-2026-21877, CVSS 10.0) discovered by Upwind enables full system takeover, requiring immediate update to version 1.121.3 to prevent exploitation. (Published on 8-Jan-2026, Hackread). Read More

• 🌐 Fake AI-powered Chrome extensions mimicked legitimate tools to steal 900K users’ ChatGPT and DeepSeek data before sending harvested information to command-and-control servers. (Published on 8-Jan-2026, Dark Reading). Read More

• 🤖 GoBruteforcer botnet actively targets exposed Linux servers, conducting brute-force attacks against FTP, MySQL, and other services to compromise systems and expand operations. (Published on 8-Jan-2026, Infosecurity). Read More

• ðŸ›¡ï¸ Trend Micro patched critical remote code execution vulnerability in Apex Central on-premise console, allowing attackers to execute arbitrary code with SYSTEM-level privileges. (Published on 9-Jan-2026, BleepingComputer). Read More

• 🔧 Cisco ISE vulnerability (CVE-2026-20029, CVSS 4.9) enables authenticated administrators to exploit improper XML parsing in licensing features, gaining unauthorized read access to sensitive files. (Published on 9-Jan-2026, CSO Online). Read More

AI & Policy

Regulatory actions and AI security concerns continue shaping the landscape.

• 🎬 Disney settles with DOJ and FTC for $10 million over YouTube privacy violations under COPPA, implementing new measures to protect children’s data collection practices. (Published on 5-Jan-2026, Hackread). Read More

• 🤖 Employees using personal LLM accounts for work tasks create shadow AI risks, with lack of governance and visibility resulting in increased data security exposures. (Published on 7-Jan-2026, Infosecurity). Read More

• 🔧 Gmail launches AI Inbox powered by Gemini to summarize emails, with Google explicitly stating it will not train AI models on user email content. (Published on 8-Jan-2026, BleepingComputer). Read More

• 🧟 Radware researchers demonstrated ZombieAgent attack, successfully bypassing ChatGPT protections to exfiltrate user data and implant persistent logic into the agent’s long-term memory. (Published on 9-Jan-2026, SecurityWeek). Read More

Espionage & Data Extraction

Nation-state actors remain persistently active across global targets.

• 🎯 Russian APT28 (BlueDelta) conducted credential harvesting campaign targeting Turkish energy and nuclear research personnel, European think tanks, and organizations in North Macedonia and Uzbekistan. (Published on 9-Jan-2026, The Hacker News). Read More

• 🇨🇳 Salt Typhoon Chinese hack scope expands as investigations reveal Chinese state hackers spent over a year undetected inside major U.S. telecom networks, spying on officials. (Published on 9-Jan-2026, Techdirt). Read More

Vulnerability Research & Industry Analysis

Researchers spotlight metadata leaks and novel attack techniques.

• 📱 WhatsApp metadata leak enables device fingerprinting useful for sophisticated spyware delivery, though impact remains limited without zero-day exploits; Meta rolling out fixes. (Published on 5-Jan-2026, SecurityWeek). Read More

Cybersecurity Tools & Techniques

Defenders demonstrate creative approaches to identifying threat actors.

• 🪤 Security researchers successfully trapped Scattered Lapsus$ Hunters (ShinyHunters) using a honeypot with realistic but mostly fake datasets, drawing in the notorious threat actors. (Published on 6-Jan-2026, Dark Reading). Read More

Stay informed and secure in the tech and cybersecurity world. Have a great weekend, and remember to patch and protect your systems!

The Friday Wrap Up is taking a holiday break 🎄

After 50 weeks of doom-scrolling through CVEs, data breaches, and supply chain incidents, the FWU is officially logging off until 2026.

Yes, 2026. The FWU will be back with more threat intelligence, more zero-days, and probably another ransomware group with a questionable naming convention.

What to expect during the FWU break:

• Threat actors will continue working (they don’t believe in work-life balance)

• Your CEO will still click on phishing emails

• Someone will definitely misconfigure an S3 bucket

• We will be blissfully unaware of all of it ☕

Gentle reminders while the FWU is gone:

• “admin/admin” is not a secure credential combo, no matter what your IoT device says

• Your family’s tech support questions can wait until January (probably)

• If an email says “URGENT: Your Netflix account has been suspended,” it’s lying

Stay safe out there. Patch your systems. Enable MFA. Don’t let your guard down just because we did.

See you in 2026 🔐

P.S. - If something catastrophic happens, I’ll probably still post about it. I have a problem.

Stay informed and secure in the tech and cybersecurity world. Have a great weekend, and remember to patch and protect your systems!

Another week, another avalanche of zero-days, ransomware victims, and creative attack techniques that make you wonder if threat actors ever sleep (spoiler: they don’t).

From Chrome getting exploited in the wild to malware hiding in VS Code extensions—because apparently, even our dev tools need therapy now—this week had it all. We’ve got nation-state shenanigans, AI security guardrails, and someone at Accenture allegedly fudging DoD compliance (yikes).

Click through for the full breakdown before your CISO asks if you’ve seen the latest Chrome patch.

#CyberSecurity #ThreatIntelligence #InfoSec #FWU #fridaywrapup #Malware #DataBreach #Ransomware

Major Cyberattacks & Incidents

This week saw multiple significant data breaches and sophisticated attack campaigns targeting organizations worldwide.

• 🚨 Marquis Software Solutions suffered a firewall vulnerability breach exposing personal data of over 780,000 individuals across the United States. (Published on 8-Dec-2025, Infosecurity). Read More

• 📊 Fieldtex Products disclosed a data breach impacting 238,000 people after the Akira ransomware group claimed responsibility for stealing 14GB of company data. (Published on 12-Dec-2025, SecurityWeek). Read More

• 🏪 South Korean police raided Coupang’s offices following a major data breach, prompting the CEO’s resignation amid the investigation. (Published on 12-Dec-2025, Infosecurity). Read More

• 🎯 Storm-0249 initial access broker weaponized endpoint detection and response platforms and Windows utilities in highly targeted precision attacks against organizations. (Published on 10-Dec-2025, Dark Reading). Read More

Malware & Vulnerabilities

Critical flaws and new malware campaigns dominated security headlines with exploits targeting enterprise and consumer platforms alike.

• 🕸️ JS#SMUGGLER campaign leverages compromised websites to inject obfuscated JavaScript loaders distributing NetSupport RAT through encrypted HTML applications. (Published on 8-Dec-2025, The Hacker News). Read More

• 🔧 SAP released December security updates patching 14 vulnerabilities including three critical-severity flaws affecting Solution Manager, Commerce Cloud, and other products. (Published on 9-Dec-2025, BleepingComputer). Read More

• 🤖 Google patched a critical Gemini Enterprise vulnerability enabling attackers to inject malicious instructions into documents to exfiltrate sensitive corporate information. (Published on 9-Dec-2025, Dark Reading). Read More

• 📝 Adobe addressed nearly 140 vulnerabilities in its December update, including 116 cross-site scripting bugs in Experience Manager. (Published on 9-Dec-2025, SecurityWeek). Read More

• 🏰 CastleLoader malware used by four distinct threat clusters confirms GrayBravo’s malware-as-a-service business model expanding infrastructure. (Published on 9-Dec-2025, The Hacker News). Read More

• 📱 DroidLock Android malware locks device screens demanding ransom while accessing text messages, call logs, contacts, and audio data. (Published on 10-Dec-2025, BleepingComputer). Read More

• 🔑 Gladinet’s CentreStack and Triofox products contain hard-coded cryptographic keys enabling unauthorized access and remote code execution in active attacks. (Published on 10-Dec-2025, The Hacker News). Read More

• 💾 Three security vulnerabilities in PCIe 5.0+ Integrity and Data Encryption protocol expose systems to faulty data handling by local attackers. (Published on 10-Dec-2025, The Hacker News). Read More

• ☁️ ConsentFix attack variant exploits Azure CLI OAuth app to hijack Microsoft accounts without passwords or bypassing multi-factor authentication. (Published on 11-Dec-2025, BleepingComputer). Read More

• 💻 Nineteen malicious Visual Studio Code extensions embedded malware in dependency folders using legitimate npm packages to compromise developer environments. (Published on 11-Dec-2025, Infosecurity). Read More

• 🐍 PyStoreRAT JavaScript-based remote access trojan distributed through fake OSINT and GPT utility GitHub repositories targeting developers. (Published on 12-Dec-2025, The Hacker News). Read More

• 🍎 Apple issued emergency patches for two zero-day vulnerabilities exploited in extremely sophisticated attacks targeting specific individuals. (Published on 12-Dec-2025, BleepingComputer). Read More

• 🌐 Google Chrome faced active in-the-wild exploitation of an undisclosed high-severity vulnerability prompting emergency security updates. (Published on 11-Dec-2025, The Hacker News). Read More

Vulnerability Research & Exploitation

Rapid exploitation campaigns demonstrated how quickly threat actors weaponize newly disclosed vulnerabilities.

• ⚛️ React2Shell (CVE-2025-55182) exploitation activity intensified as more threat actors weaponized the flaw immediately following public disclosure. (Published on 8-Dec-2025, Dark Reading). Read More

• 🇰🇵 Sophisticated React2Shell exploitation campaigns delivering EtherRAT show indicators linking attacks to North Korean cyber intrusion tactics. (Published on 9-Dec-2025, Infosecurity). Read More

Espionage & Nation-State Activity

Pro-Russia hacktivist groups escalated targeting of critical infrastructure in coordinated campaigns.

• 🎯 Pro-Russia hacktivist groups exploited exposed virtual network computing connections to breach operational technology systems in US critical infrastructure. (Published on 10-Dec-2025, Infosecurity). Read More

AI & Policy

Developments in AI security, regulatory compliance, and industry guidance shaped conversations around emerging technologies.

• 🛡️ Google detailed security guardrails protecting Chrome’s upcoming agentic browsing features from indirect prompt injection and other AI-specific attacks. (Published on 8-Dec-2025, TechCrunch). Read More

• 🤖 Chrome’s agentic AI protections include user alignment critic, expanded origin-isolation capabilities, and mandatory user confirmations for sensitive actions. (Published on 8-Dec-2025, SecurityWeek). Read More

• 💰 Microsoft expanded its bug bounty program to reward security researchers for critical vulnerabilities in any online service regardless of code origin. (Published on 11-Dec-2025, BleepingComputer). Read More

• ⚖️ Former Accenture employee Danielle Hillmer faces cybersecurity fraud charges for allegedly concealing that cloud platforms failed DoD security requirements. (Published on 11-Dec-2025, SecurityWeek). Read More

• 🎭 UK’s National Cyber Security Centre released new cyber deception guidance and learnings from pilot programs advancing defensive capabilities. (Published on 12-Dec-2025, Infosecurity). Read More

Stay informed and secure in the tech and cybersecurity world. Have a great weekend, and remember to patch and protect your systems!

Another week, another reminder that cybercriminals are getting creative while defenders scramble to keep up! From malware disguising itself as helpful browser extensions to hackers learning poetry (yes, really) to break AI systems, this week had it all.

We’re talking massive DDoS attacks breaking records, nation-states playing the long game with backdoors, and even an Aussie getting jail time for fake airport Wi-Fi. Plus, the eternal struggle continues: zero trust is still more “aspirational framework” than “accomplished mission” for most organizations.

Whether you’re patching React vulnerabilities, investigating ransomware claims, or just trying to understand why cybercrime has become a subscription service, this week’s wrap-up has the details you need.

Scroll through for the full breakdown of attacks, breaches, and security developments that shaped the week. Stay vigilant out there! 🔐

#ThreatIntel #SecurityBreaches #CyberThreats #FWU #fridaywrapup #CyberSecurity #InfoSec #Malware #DateBreach #Ransomware

Malware & Vulnerabilities

This week revealed a disturbing landscape of evolving malware threats and critical software flaws demanding immediate attention.

• 🦠 ShadyPanda malicious campaign amassed 4.3 million Chrome and Edge browser extension installations, transforming seemingly legitimate tools into malware over seven years. (Published on 1-Dec-2025, BleepingComputer). Read More

• 💰 Albiriox banking trojan surfaces as new Android malware-as-a-service offering from Russian cybercriminals, available for $720 monthly subscription targeting 400+ global banking apps. (Published on 1-Dec-2025, SecurityWeek). Read More

• 🤖 Malicious npm package manipulates AI security detection systems with misleading prompts, exploiting automated analysis tools in sophisticated supply chain attack. (Published on 1-Dec-2025, Infosecurity). Read More

• 🔍 Chrome and Edge extensions caught profiling users, reading cookie data to create unique identifiers, and executing malicious payloads with full browser API access. (Published on 2-Dec-2025, SecurityWeek). Read More

• 📱 Google patches 107 Android vulnerabilities including two Framework bugs actively exploited in the wild, addressing flaws across multiple system components and chipset manufacturers. (Published on 2-Dec-2025, The Hacker News). Read More

• ⚛️ Critical React vulnerability threatens major applications as developers scramble to patch flaw found in 39% of cloud environments using this widely-deployed framework. (Published on 3-Dec-2025, CyberScoop). Read More

• 🪟 Microsoft silently patches Windows LNK file vulnerability actively exploited since 2017, addressing UI misinterpretation flaw that enabled threat actors’ campaigns for years. (Published on 3-Dec-2025, The Hacker News). Read More

• 🇨🇳 Chinese hackers actively exploit React2Shell vulnerability as AWS observes multiple China-linked threat groups targeting the critical flaw in coordinated campaigns. (Published on 4-Dec-2025, SecurityWeek). Read More

Major Cyberattacks & Incidents

Significant breaches this week exposed vulnerabilities across emergency services, manufacturing, financial sectors, and government infrastructure.

• 🚨 CodeRED emergency alert platform shut down following cyberattack, with Inc ransomware gang claiming responsibility and threatening sensitive subscriber data exposure. (Published on 1-Dec-2025, Dark Reading). Read More

• 🏢 Everest ransomware group claims ASUS breach, alleging theft of over 1TB data including camera source code with 21-hour response deadline via Qtox. (Published on 2-Dec-2025, Hackread). Read More

• 🏦 Marquis Software Solutions data breach impacts over 74 U.S. banks and credit unions, exposing customers’ financial information through compromised software provider infrastructure. (Published on 3-Dec-2025, BleepingComputer). Read More

• 📱 Freedom Mobile confirms data breach as hackers stole customers’ personal information from account management platform, compromising subscriber details and credentials. (Published on 4-Dec-2025, SecurityWeek). Read More

• 💻 Two Virginia contractors arrested for allegedly wiping 96 government databases and stealing sensitive information after termination from federal positions. (Published on 4-Dec-2025, BleepingComputer). Read More

Espionage & Data Extraction

Nation-state actors and commercial spyware operators continued targeting sensitive data through sophisticated intelligence operations.

• 🇰🇵 North Korean recruiters exposed in unprecedented operation luring software engineers to rent their identities for illicit IT worker schemes funding regime activities. (Published on 2-Dec-2025, BleepingComputer). Read More

• 🛒 Arizona Attorney General sues Chinese retailer Temu and parent company PDD Holdings over allegations of stealing customers’ data through e-commerce platform. (Published on 3-Dec-2025, SecurityWeek). Read More

• 🔐 CISA reveals BRICKSTORM backdoor used by PRC state-sponsored threat actors for maintaining long-term persistence in compromised VMware vSphere and Windows systems. (Published on 5-Dec-2025, The Hacker News). Read More

• 👁️ Predator spyware maker Intellexa continues operations despite sanctions, with new data leaks exposing flagship spyware infrastructure, attack vectors, and additional victims. (Published on 5-Dec-2025, Infosecurity). Read More

Cybersecurity Tools & Techniques

From criminal prosecution to underground marketplace evolution, this week highlighted both enforcement successes and emerging threat landscapes.

• ✈️ Australian man sentenced to 7 years 4 months in prison for deploying evil twin Wi-Fi networks at airports and mid-flight to steal travelers’ data. (Published on 1-Dec-2025, Hackread). Read More

• 🛠️ Cybercrime fully shifts to subscription model with phishing kits, Telegram OTP bots, infostealer logs, and RATs now rented like SaaS tools for low-skill attackers. (Published on 2-Dec-2025, BleepingComputer). Read More

DDoS, Outages & Infrastructure

Massive DDoS attacks and critical infrastructure failures demonstrated the fragility of internet services under targeted assault.

• 🌊 Cloudflare detects and mitigates record-breaking 29.7 Tbps DDoS attack originating from AISURU botnet-for-hire with up to 4 million infected hosts. (Published on 3-Dec-2025, The Hacker News). Read More

• ⚠️ Cloudflare outage causes widespread website crashes with 500 Internal Server Error messages affecting numerous sites relying on the infrastructure provider’s services. (Published on 5-Dec-2025, BleepingComputer). Read More

AI & Policy

Emerging research reveals AI vulnerabilities while industry grapples with implementing foundational security frameworks.

• 🎭 Researchers demonstrate AI jailbreaking through poetry, increasing attack success rates from 8% to 43% when prompts use poetic rather than prose formatting. (Published on 2-Dec-2025, Dark Reading). Read More

• 🚛 California revises rules potentially ending self-driving truck ban, allowing autonomous vehicle testing on public highways while closing driverless vehicle ticketing loopholes. (Published on 4-Dec-2025, TechCrunch). Read More

• 🛡️ After 15 years, zero trust implementation remains elusive as organizations struggle with fragmented tooling, legacy infrastructure, and emerging AI agent security challenges. (Published on 4-Dec-2025, CSO Online). Read More

Stay informed and secure in the tech and cybersecurity world. Have a great weekend, and remember to patch and protect your systems!

This week’s cybersecurity landscape? Let’s just say the supply chain attacks are getting creative, the credential leaks are getting embarrassing, and emergency alert systems proved they’re not immune to ransomware.

From worms named after sci-fi sandworms to threat groups with identity crises, we’ve got breaches affecting everything from real estate finance to your favorite analytics platforms.

Oh, and reminder: those “helpful” code formatting websites? They’ve been collecting your credentials like Pokémon cards. Click through for the full roundup of this week’s digital chaos.

Malware & Vulnerabilities

Critical flaws and malicious software dominated headlines this week, from widely-used tools to emerging threats.

• 🚨 Critical 7-Zip vulnerability CVE-2025-11001 has a public exploit requiring manual update to version 25.01 to protect against high-risk attacks. (Published on 23-Nov-2025, Hackread). Read More

• 🔥 Firefox patched CVE-2025-13016, a critical Wasm memory bug that exposed 180 million users to code execution risks for six months. (Published on 25-Nov-2025, Hackread). Read More

• 📱 RadzaRat Android RAT disguises itself as a file manager with zero detection on VirusTotal, stealing passwords and files through keylogging. (Published on 24-Nov-2025, Hackread). Read More

• 🪱 Sha1-Hulud worm returned in a second wave, infecting nearly 500 npm packages and exposing over 26,000 GitHub repositories within 24 hours. (Published on 24-Nov-2025, CyberScoop). Read More

• 🎣 Shai-Hulud attack compromised 25,000+ repositories through npm preinstall credential theft in a sophisticated supply chain campaign targeting developers. (Published on 24-Nov-2025, The Hacker News). Read More

• ☁️ Five Fluent Bit vulnerabilities expose cloud services to path traversal, remote code execution, denial-of-service, and tag manipulation attacks. (Published on 25-Nov-2025, SecurityWeek). Read More

• 📦 North Korean hackers deployed 197 malicious npm packages with 31,000+ downloads, spreading updated OtterCookie malware combining BeaverTail features. (Published on 28-Nov-2025, The Hacker News). Read More

• 🤖 ShadowV2 botnet malware targets IoT devices from D-Link, TP-Link vendors, exploiting known vulnerabilities and testing during AWS outages. (Published on 26-Nov-2025, BleepingComputer). Read More

Major Cyberattacks & Incidents

Enterprise platforms and service providers faced significant breaches this week, exposing customer data and disrupting critical services.

• 🏢 SitusAMC real-estate finance giant disclosed data breach affecting customer information from banks and lenders served by their back-end platform. (Published on 24-Nov-2025, BleepingComputer). Read More

• 💰 Gainsight expanded impacted customer list beyond initial three customers following Salesforce security alert, with CEO acknowledging broader impact. (Published on 26-Nov-2025, The Hacker News). Read More

• 🚨 Inc Ransom ransomware group targeted OnSolve CodeRED platform, disrupting local emergency alert systems across the US and causing data breach. (Published on 26-Nov-2025, SecurityWeek). Read More

• 📊 Mixpanel hack exposed OpenAI user data along with multiple other customers in cyberattack targeting the product analytics company. (Published on 27-Nov-2025, SecurityWeek). Read More

• 📺 Comcast will pay $1.5 million FCC fine after February 2024 vendor data breach exposed personal information of nearly 275,000 customers. (Published on 26-Nov-2025, BleepingComputer). Read More

Espionage & Data Extraction

Sophisticated threat actors continued targeting organizations through social engineering and supply chain attacks.

• 💼 RomCom threat actors used SocGholish fake JavaScript updates to deliver Mythic Agent malware to US civil engineering company. (Published on 26-Nov-2025, The Hacker News). Read More

• 🎯 Scattered Lapsus$ Hunters deployed 40+ fake Zendesk domains and fraudulent support tickets to steal credentials and install malware. (Published on 28-Nov-2025, CSO Online). Read More

• 👤 Report names 15-year-old Saif Khader from Jordan as Scattered Lapsus$ Hunters admin “Rey,” though group denies the allegation. (Published on 27-Nov-2025, Hackread). Read More

• 📅 Threat actors exploit calendar subscriptions to deliver phishing links, malware, and social engineering attacks through hijacked domains. (Published on 28-Nov-2025, Infosecurity). Read More

Vulnerability Research & Industry Analysis

Years of accumulated security gaps exposed sensitive data across multiple platforms and tools.

• 🔑 JSONFormatter and CodeBeautify leaked 80,000+ files over years, exposing passwords and API keys from governments, telecoms, and infrastructure. (Published on 25-Nov-2025, The Hacker News). Read More

• 🛠️ Code beautifiers expose thousands of credentials from banks, government, and tech organizations in publicly accessible JSON snippets. (Published on 25-Nov-2025, BleepingComputer). Read More

• 🔒 Microsoft Teams B2B Guest Access flaw allows attackers to bypass all Defender for Office 365 protections with single invite. (Published on 26-Nov-2025, Hackread). Read More

Cybersecurity Tools & Techniques

New defensive capabilities and improved security measures provide organizations with better protection options.

• 🔐 Tor upgraded to Counter Galois Onion encryption algorithm, replacing old tor1 relay design for enhanced circuit traffic security. (Published on 25-Nov-2025, BleepingComputer). Read More

• 🔍 GreyNoise launched free IP Check tool to detect if your address appears in malicious botnet or residential proxy scanning operations. (Published on 28-Nov-2025, BleepingComputer). Read More

Stay informed and secure in the tech and cybersecurity world. Have a great weekend, and remember to patch and protect your systems!