News without the noise
Security news and threats
50 articles
A team of academic researchers has published ARVO — the Atlas of Reproducible Vulnerabilities for Open-Source Software — a dataset of more than 6,100 real-world security vulnerabilities drawn from 311 open-source projects, designed to overcome the chronic reproducibility problems that have hampered automated vulnerability research for years.
A cluster of new academic studies published this week reveals significant vulnerabilities in AI agents that use tool-calling and chain-of-thought reasoning, showing that adversaries can redirect or deceive these systems by embedding malicious instructions in tool outputs or executable binary files — raising urgent questions about deploying AI agents in high-stakes cybersecurity workflows.
A pair of research papers published this week reveal both the promise and the significant limitations of large language models (LLMs) when deployed in cybersecurity defence roles, finding that while structured frameworks can meaningfully improve AI performance in threat hunting, fundamental vulnerabilities in how LLMs reason about cyber threat intelligence remain a serious concern for security teams.
Cybersecurity startup Exaforce has raised $125 million in a Series B funding round, valuing the company at $725 million, as enterprises scramble to counter a growing wave of AI-powered cyberattacks that can exploit software vulnerabilities faster than traditional defences can respond.
Two brothers who worked as IT contractors for the U.S. government allegedly deleted 96 government databases within minutes of being dismissed from their shared employer, federal authorities say, in a case that underscores longstanding vulnerabilities in how agencies manage digital access for departing staff.
Microsoft, Apple, Mozilla and other major technology companies released unusually large volumes of security patches in May 2026, with security researchers attributing much of the surge to 'Project Glasswing,' an AI-powered vulnerability detection capability developed by Anthropic that has proven remarkably effective at finding flaws in human-written code.
Foxconn, the Taiwanese electronics giant best known for assembling Apple's iPhones, has been hit by another ransomware attack, raising fresh questions about the cybersecurity posture of large-scale contract manufacturers that sit at the heart of the global technology supply chain.
A U.S. bank has disclosed a security lapse in which customer data was shared with an unauthorised artificial intelligence application, raising fresh concerns about the risks of employees using unsanctioned software tools in regulated industries.
The FBI and NSA have jointly disclosed that Russian state-linked actors have been systematically compromising home and small office wireless routers since at least 2024, prompting US authorities to obtain a court order allowing them to remotely reset thousands of affected devices across the country — a move officials say is only a temporary fix.
Instructure, the developer behind the widely used Canvas learning management system, announced Monday that it has reached an 'agreement' with the hackers responsible for a cyber attack on its platform, though the company has not disclosed what it offered in exchange for the return of stolen data.
TanStack, a widely-used suite of JavaScript libraries relied upon by thousands of developers worldwide, suffered a supply-chain compromise through the npm package registry, according to a postmortem published in May 2026. The incident highlights the continuing vulnerability of open-source software ecosystems to dependency-based attacks.
TanStack, a widely-used collection of JavaScript libraries including TanStack Query and TanStack Router, had several of its NPM packages compromised in a supply chain security incident reported on May 11, 2026, raising fresh concerns about the security of open-source package ecosystems.
Artificial intelligence has transformed hacking from a specialist craft into an industrial-scale threat in just three months, according to a new report from Google's threat intelligence group, raising urgent questions about how commercial AI models are being weaponised by both criminal organisations and state-linked actors.
A critical security vulnerability in baby monitors and home security cameras manufactured by Chinese firm Meari Technology left approximately one million devices open to unauthorised viewing, allowing anyone with access to a single camera on the network to potentially access all others, according to a report published Sunday by The Verge.
Google's Threat Intelligence Group has identified and stopped what it describes as the first confirmed zero-day exploit developed with the assistance of artificial intelligence, thwarting a planned mass exploitation attack that would have allowed cybercriminals to bypass two-factor authentication on a widely used web-based administration tool.
Google has identified what it says is the first confirmed instance of criminal hackers using artificial intelligence to discover a previously unknown software vulnerability, raising alarms among cybersecurity experts who warn the development marks a significant escalation in the capabilities available to malicious actors.
A security researcher has published details of a local privilege escalation (LPE) vulnerability in the Linux kernel's io_uring subsystem — specifically within the Zero-Copy Receive (ZCRX) freelist mechanism — demonstrating how a seemingly minor integer value could be manipulated to gain full root access on an affected system.
Security researchers have disclosed a second critical Linux kernel vulnerability within eight days, with the newly identified flaw dubbed 'Dirty Frag' (CVE-2026-43284) allowing attackers to gain root-level access on affected systems — raising fresh questions about the security posture of the world's most widely deployed server and embedded operating system.
Let's Encrypt, the non-profit certificate authority that provides free TLS certificates to millions of websites worldwide, temporarily stopped issuing certificates on May 8, 2026, citing a potential incident — raising concerns among webmasters and security professionals who depend on the service for encrypted web traffic.
A hacking group has breached Canvas, a widely used academic software platform, disrupting operations at thousands of schools and universities around the world, according to a report published Friday by BBC News.
France is advancing legislative measures that would require encrypted messaging services to provide law enforcement with access to private communications, according to reports circulating in May 2026 — a move that has drawn sharp criticism from privacy advocates and security researchers who warn it could undermine digital security for all users.
Highly sensitive personal data belonging to a European celebrity — apparently gathered through stalkerware or spyware — was left publicly exposed online until a security researcher discovered and flagged the breach, illustrating in stark terms the compounding dangers faced by victims of covert surveillance software.
A logic flaw in Linux's cryptographic authentication code — identified in a component known as 'authencesn' — has been found to enable local privilege escalation, potentially allowing unprivileged users to gain root-level access to affected systems. Major Linux distributions began shipping patches in late April 2026 to address the vulnerability.
Microsoft and the US Cybersecurity and Infrastructure Security Agency (CISA) have issued warnings that attackers are actively exploiting a zero-click Windows vulnerability capable of exposing sensitive information on unpatched systems — coming on the heels of revelations that Microsoft's earlier patch for a separate zero-day, previously exploited by Russian state-sponsored hackers, failed to fully address the underlying flaw.
Security researchers disclosed multiple high-severity vulnerabilities this week, including a critical authentication bypass in cPanel & WHM (CVE-2026-41940) that could expose millions of hosted websites to full server compromise, and a Linux privilege escalation exploit (CVE-2026-31431) capable of granting root access across every major Linux distribution using just 732 bytes of code — while the broader cybersecurity community continues to grapple with escalating software supply chain attacks.
Sri Lanka's government has disclosed losing more than $3 million across two separate cybersecurity incidents in quick succession, with the latest revelation coming just days after hackers stole $2.5 million from its finance ministry, compounding financial pressure on a country still rebuilding from a devastating 2022 sovereign debt crisis.
Apple has patched a security vulnerability that allowed law enforcement, including the FBI, to forensically extract Signal messages from iPhones even after the encrypted messaging app had been deleted — a fix prompted by investigative reporting that revealed the flaw had been exploited in at least one federal criminal case.
Logistics technology company Pitney Bowes has been named as the latest alleged victim of the ShinyHunters hacking group, with breach notification service Have I Been Pwned reporting that roughly 8.2 million email addresses — along with names, phone numbers, and physical addresses — may have been exposed in a data dump attributed to the prolific cybercriminal collective.
Security researchers and developers are raising renewed concerns about GitHub Actions, the widely used continuous integration and deployment platform, arguing that its architectural design and common usage patterns make it one of the most exploitable entry points in modern software supply chains.
A widely-used open source machine-learning monitoring tool was compromised late last week when attackers exploited a vulnerability in the developers' account workflow, pushing a malicious version that harvested user credentials, API tokens, and SSH keys from affected systems — a breach that underscores the persistent security risks embedded in the modern open source software supply chain.
ADT, one of the United States' largest home security companies, has confirmed a cyber intrusion after the hacking group ShinyHunters claimed to have stolen more than 10 million customer records and launched an extortion attempt against the firm, highlighting an uncomfortable irony for a company whose core business is protecting homes and businesses.
A significant data breach has struck Mercor, an AI talent platform, with attackers stealing approximately 4 terabytes of voice samples collected from roughly 40,000 contractors who were hired to generate training data for artificial intelligence systems.
A Chinese national accused of conducting cyberattacks on behalf of the Chinese government has been extradited to the United States, where he faces charges related to breaching thousands of American organizations and stealing COVID-19 research, according to a report by TechCrunch published on April 27, 2026.
London Mayor Sadiq Khan is considering intervening to prevent Scotland Yard from signing a potentially multimillion-pound contract with US data analytics firm Palantir, citing concerns that the company's conduct conflicts with the values of the capital, his office confirmed on Monday.
Itron, a major American technology company that supplies water and energy monitoring systems and utility meters to hundreds of millions of homes and businesses worldwide, has disclosed that it was the victim of a cyberattack, raising fresh concerns about the security of critical infrastructure.
An employee of Trenchant, a US defence contractor and government malware vendor, secretly sold a suite of powerful hacking tools to a Russian company, according to reporting by TechCrunch journalist Lorenzo Franceschi-Bicchierai. The tools are believed to have subsequently reached Russian intelligence services and may also have been acquired by Chinese criminal actors, in what security researchers are describing as one of the most consequential leaks in the modern commercial spyware industry.
GnuPG, one of the most widely deployed open-source encryption tools in the world, is integrating post-quantum cryptographic algorithms into its mainline codebase, a significant step toward protecting encrypted communications against the anticipated threat posed by future quantum computers.
Hundreds of subdomains belonging to at least 34 of the world's most prestigious universities — including UC Berkeley, Columbia University, and Washington University in St. Louis — have been hijacked by scammers to serve explicit pornography and malicious content, a cybersecurity researcher revealed this week, exposing a systemic failure in how institutions manage their web infrastructure.
Unauthorised users gained access to Anthropic's internal system known as Mythos through Discord, according to reporting by Wired, as cybersecurity chiefs from companies with legitimate access to the tool simultaneously warned that its broader rollout will require close coordination between governments and private industry to remain secure.
A previously unknown cybercriminal group has been identified conducting data-theft attacks by impersonating IT helpdesk staff through Microsoft Teams chat invitations while simultaneously deploying custom malware, according to research published Friday by Google's Threat Intelligence Group.
Carnival Corporation, the world's largest cruise operator, is facing a potential major data breach after the notorious hacking group ShinyHunters claimed responsibility for stealing customer data, with breach-notification service Have I Been Pwned flagging approximately 7.5 million unique email addresses allegedly tied to one of the company's subsidiaries.
US and UK cybersecurity authorities have jointly disclosed the discovery of a previously unknown backdoor malware dubbed 'Firestarter' on the network of an unnamed US federal agency, raising fresh alarms about the ongoing targeting of government infrastructure — particularly through vulnerable Cisco networking equipment.
Health data from the UK Biobank, one of the world's most significant biomedical research databases containing genetic and health information on approximately 500,000 volunteers, has repeatedly been discovered in public repositories on GitHub, raising serious concerns about data governance, researcher compliance, and the privacy of participants who contributed their biological samples and personal health records.
Security researchers presenting at Black Hat Asia have demonstrated that weak cybersecurity practices in public electric vehicle charging networks and shared e-bike systems could allow attackers to disable entire fleets of devices across a city, raising urgent concerns about the resilience of fast-expanding urban IoT infrastructure.
A ransomware family known as Kyber has become the first confirmed strain to employ post-quantum cryptography, using an encryption standard developed by the US National Institute of Standards and Technology (NIST) to protect its file-scrambling keys against both current and future quantum computing attacks — marking a troubling new frontier in ransomware sophistication.
Britain's National Cyber Security Centre (NCSC), alongside agencies from nine other countries, has issued a joint warning that Chinese state-backed hacking groups are exploiting common devices such as wi-fi routers to conduct espionage against UK businesses, urging companies to significantly increase their cyber vigilance.
Cyber criminals have hacked Sri Lanka's finance ministry and stolen approximately $3.7 million that had been set aside to repay debts owed to Australia, in a significant breach that complicates the debt-stricken nation's ongoing financial recovery efforts.
Two commercial surveillance companies were caught exploiting access to the global cellular network backbone to covertly track the physical locations of individuals across multiple countries, according to new research published Wednesday by the University of Toronto's Citizen Lab.
A new supply chain worm is spreading through compromised npm packages, harvesting secrets and sensitive data from developers' environments, security researchers have warned. The malware, which references a 'TeamPCP/LiteLLM method' in its payload, bears significant similarities to a wave of open source infections attributed to the TeamPCP threat actor last month.
North Korea's elite Lazarus hacking group has begun leveraging artificial intelligence to automate and scale sophisticated cyberattacks specifically targeting software developers, according to a new analysis published by cybersecurity firm Expel, raising fresh concerns about the industrialisation of state-sponsored cybercrime.