Today's Cybersecurity Pulse
CISA adds critical Android and Linux flaws to KEV catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed two high‑severity vulnerabilities in its Known Exploited Vulnerabilities catalog: Android CVE‑2025‑48595, an integer overflow that enables privilege escalation on Android 14‑16 without user interaction, and Linux CVE‑2022‑0492. Google released patches for the Android bug in June 2026.
Also developing:
By the numbers: Ingeteam receives $82.5M loan from EIB
The iPhone Hack That Could Max Out Your Visa Card
High‑tech thieves have demonstrated a method to drain funds from iPhones using Express Transit mode when linked to a Visa card. The hack requires the victim's phone to tap a compromised NFC reader, which then relays payment data to a second device for unauthorized purchases. Although the attack only works with Visa and iPhone Express Transit, the potential loss equals the full balance of the linked account. Apple and transit authorities warn users to review security settings to mitigate the risk.
Smart TVs Silently Siphon Classified Data to Foreign Adversaries
This is a massive and growing problem for American national security. Unbelievable amounts of sensitive and classified information is captured, scraped, and sent back to foreign nations. And users have no idea. Nobody expects that their TV or monitor...
I Encrypted My DNS with a Free App and It Works Brilliantly
Cloudflare has released a free app, 1.1.1.1 + WARP, that encrypts DNS queries on Windows, macOS, Linux, Android and iOS. The client offers two operating modes: a lightweight DNS‑only mode that protects lookups, and a full‑WARP mode that tunnels all traffic through...
Google Researchers Show Quantum Computer Can Crack Bitcoin in 9 Minutes
Researchers at Google have demonstrated that a quantum computer could recover a Bitcoin private key in roughly nine minutes using Shor's algorithm. The finding compresses a timeline that was once thought to be decades away into a single‑digit minute window,...
PoC Exploit for Critical FortiSandbox Flaw CVE‑2026‑39808 Goes Public
A proof‑of‑concept exploit for Fortinet’s FortiSandbox vulnerability CVE‑2026‑39808 has been posted on GitHub, enabling unauthenticated remote code execution as root. The flaw, affecting versions 4.4.0‑4.4.8, was patched in April 2026, but the public exploit raises urgent remediation pressure for customers.
Google Archives Every Search, Location, and Video—Delete Now
Google has a recording of every search you've ever made. Every place you've ever been. Every YouTube video you've ever watched. Go to https://t.co/SsI3dVLQDL right now. You'll find searches from 2015. Voice recordings. GPS coordinates. All stored. All linked to your name. Here's how to...
Critical Flaw in Protobuf Library Enables JavaScript Code Execution
A critical remote code execution vulnerability was discovered in protobuf.js, a widely used JavaScript implementation of Google’s Protocol Buffers that sees roughly 50 million weekly npm downloads. The flaw, tracked as GHSA‑xq3m‑2v4x‑88gg, stems from unsafe dynamic code generation that lets malicious...
ShowDoc Vulnerability Patched in 2020 Now Used in Active Server Takeovers
Researchers have confirmed that the five‑year‑old ShowDoc vulnerability CVE‑2025‑0520 is being actively exploited to upload malicious PHP web shells, granting remote code execution and full server takeover. The flaw, an unrestricted file‑upload issue with a CVSS score of 9.4, was...
NAKIVO v11.2: Ransomware Defense, Faster Replication, vSphere 9, and Proxmox VE 9.0 Support
NAKIVO Backup & Replication v11.2 is now generally available, adding automated real‑time replication, full support for VMware vSphere 9 and Proxmox VE 9.0/9.1, and native OAuth 2.0 email authentication. The release embeds immutable backups, AES‑256 encryption and pre‑recovery malware scanning to harden ransomware...
Tax Documents for School Employees Potentially Stolen Across Los Angeles County
The Los Angeles County Office of Education (LACOE) is probing a possible breach that exposed electronic tax documents of teachers and administrators after fraudulent filings were reported. Two school districts received letters about fake tax returns, but LACOE has not...
Judge Lets State Auditor’s Investigation Into Data Breach Affecting Blue Cross Blue Shield Members Move Forward
A Montana state district judge dismissed Health Care Service Corporation’s lawsuit, allowing the state auditor to continue probing a data breach that may have exposed the protected health information of roughly 462,000 Blue Cross Blue Shield of Montana members. The...
Airtel Starts Warning Users During Calls for OTP Fraud
Bharti Airtel has rolled out a real‑time on‑screen alert that triggers during live calls whenever a bank one‑time password (OTP) is detected. The feature nudges users to pause and reconsider sharing sensitive information, rather than blocking the call. By intervening...
Advocates Push Ban on Sale of Precise Geolocation Data, Citing Ad‑Tech Privacy Risks
A coalition of privacy advocates, citing a new Citizen Lab report, is urging U.S. lawmakers to prohibit the sale of precise geolocation data. The report details how Penlink’s Webloc product can access records from up to 500 million mobile devices, raising...
CISA Flags Critical Apache ActiveMQ RCE Flaw in KEV Catalog, Orders Federal Patch by April 30
The Cybersecurity and Infrastructure Security Agency (CISA) has added a high‑severity remote code execution vulnerability in Apache ActiveMQ (CVE‑2026‑34197, CVSS 8.8) to its Known Exploited Vulnerabilities catalog and ordered all federal agencies to patch the flaw by April 30, 2026. The flaw...
IMF Urges Global Bank Data Sharing to Counter Surge in Digital Fraud
International Monetary Fund Managing Director Kristalina Georgieva called on banks to share cyber‑fraud data after an IMF working paper found U.S. banks accounted for 46% of global incidents from 2014‑2023. The push aligns with recent FinCEN proposals and could reshape...
Cal.com Shuts Down Open‑Source Model Citing AI‑Powered Code Exploitation Risks
Cal.com announced it will cease being an open‑source product, arguing that AI can scan and exploit publicly available code at near‑zero cost. The move highlights a growing tension between transparency and rapid AI‑enabled threat discovery in the SaaS sector.
Techie Buys Fake Ledger Nano S+ Hardware Crypto Wallet and Almost Falls for Phishing — a Convincing Clone Would Have...
Brazilian cybersecurity professional Joje Mendes purchased a counterfeit Ledger Nano S+ from a Chinese marketplace and discovered the device was a sophisticated phishing tool. Ledger’s official software flagged the hardware as non‑genuine, prompting Mendes to open the case and find an...
JanelaRAT Malware Now Hijacking Banking Sessions of Users in Latin America : Research
Kaspersky’s GReAT team has identified a new JanelaRAT variant that specifically targets online banking customers in Brazil and Mexico. The malware disguises itself as a pixel‑art program and is delivered via phishing emails containing malicious VBS scripts. Unlike earlier versions,...
T-Series Issues Urgent Fraud Alert After Fake Emails Promise Music Video Opportunities in Company’s Name
T-Series has issued a public warning after discovering fraudsters creating fake email accounts that promise music‑video opportunities in the label’s name. The company clarified that it never conducts business through personal email services such as Gmail and that all legitimate...
DKIM Challenge in Salesforce Sandboxes: A Practical Workaround
Salesforce now mandates that all user‑authored emails use a verified domain via DKIM or an Authorized Email Domain. In sandbox environments, DKIM must be configured per instance and is lost after each refresh, making maintenance cumbersome. Unverified domains cause Apex,...
A New Era of AI Crime Has Arrived with Anthropic’s Mythos
Anthropic unveiled Claude Mythos, its newest frontier AI model, which independently demonstrated the ability to execute a 32‑step corporate network intrusion. The test highlighted the model’s capacity to autonomously plan and carry out sophisticated cyber‑attack sequences. As AI tools become...
The Hidden Risks of Vibe Coding: 4 Steps to Protect Your Organization
Vibe coding lets non‑technical staff generate functional software by prompting AI models such as Claude or ChatGPT. While it accelerates innovation, the code’s provenance is opaque, exposing firms to hidden malware, data exfiltration, and IP infringement. The article outlines four...
Cross‑Disciplinary Maintenance Insights Boost Cybersecurity Programs
The Maintenance of Everything Studying how other fields think about maintenance and sustainment is extremely useful. These areas are rich in lessons to apply to cybersecurity. Stewart Brand’s Maintenance of Everything is a brilliant overview of many of these fields. It’s...
Tycoon 2FA Loses Phishing Kit Crown Amid Surge in Attacks
Tycoon 2FA, once the dominant phishing‑as‑a‑service platform with an 89% market share, lost its crown after a coordinated law‑enforcement seizure of 330 domains in March. Barracuda Networks reports that attacks using the four major kits—Tycoon, Mamba, EvilProxy and Sneaky—have risen from...
It Takes 2 Minutes to Hack the EU’s New Age-Verification App
A security researcher demonstrated that the European Commission’s new open‑source age‑verification app can be compromised in under two minutes, exposing a critical flaw in the PIN storage mechanism. The vulnerability comes as the EU pushes mandatory age checks for social‑media...
Microsoft Launches Copilot for Compliance Teams in Microsoft 365
Microsoft has introduced Copilot for Compliance Teams within Microsoft 365, giving legal and compliance departments AI‑driven policy checks, data‑privacy reviews and regulatory reporting. The rollout emphasizes centralized governance, role‑based access and integration with Microsoft Purview, Entra and Defender to keep...
Bluesky COO Rose Wang Blames Sophisticated DDoS Attack for Ongoing Outages
Bluesky’s chief operating officer, Rose Wang, confirmed that a sophisticated distributed denial‑of‑service attack that started on April 15 at 8:40 p.m. ET is behind the platform’s intermittent website and app outages. The attack has forced the company to issue status updates and...
Insurtech Veteran Tamara Ashjian Urges Businesses to Prioritize Cyber‑Risk Awareness
Tamara Ashjian, a former vice‑president of cyber and technology claims at Tokio Marine HCC, is publicly urging businesses and individuals to treat cyber risk as a daily priority. Citing that more than 60% of small firms shut down after a...
Finance Chiefs Warn AI Models Could Destabilize Global Banking
International finance leaders warned this week that emerging generative AI models, notably Anthropic's Mythos, could expose systemic weaknesses in the global banking system. IMF, ECB, and central banks called for coordinated oversight as AI accelerates cyber‑risk vectors.
NIST Limits CVE Enrichment to Critical Bugs, Drops Broad Coverage
The U.S. National Institute of Standards and Technology announced it will stop enriching most CVE entries, focusing only on vulnerabilities flagged by CISA KEV, used by federal agencies, or classified as critical software. The shift ends NIST’s practice of adding...
Kyrgyzstan‑Registered Grinex Blames Western Intelligence for $15 Million Crypto Hack
Grinex, a Kyrgyzstan‑registered exchange sanctioned by the U.S., said it is suspending operations after a $15 million cyber‑theft it attributes to Western intelligence. The claim, made amid ongoing sanctions and a parallel breach at TokenSpot, could intensify scrutiny of crypto platforms...
Passkeys: The Underrated Upgrade Securing Modern Web
passkeys don't get enough credit for how much they have shaped and secured the internet these past 2-3 years. when a site has it, it is usually a positive signal on how seriously they take security. going from a world of...
How to Hide Your Sensitive Info (for Real) when Using ChatGPT and Other AI Chatbots
The article warns that using standard PDF markup tools to hide personal data before feeding documents to AI chatbots offers no real protection, as the underlying text remains recoverable. It recommends employing dedicated redaction software that permanently removes sensitive content,...
Ignoring DPDP Compliance? Here’s the Risk to Your Organization
The Digital Personal Data Protection (DPDP) Act of 2023 obliges Indian and global firms to adopt rigorous data‑governance, consent, and security practices or face steep penalties. Non‑compliance can trigger fines up to ₹250 crore (about $30 million), erode consumer trust, and drive...
Why Your Car Key Can Cost $3,000 in 2026: The Hidden Technology Behind Modern Vehicle Security
A lost Land Rover Discovery key fob in Honolulu was quoted at nearly $3,000, illustrating how modern car keys have become encrypted digital credentials rather than simple metal tools. Today’s keys contain rolling codes, secure microcontrollers, and VIN‑locked immobilizer links...
Rust Tailscale Library Expands with C, Elixir, Python Bindings
tailscale-rs It is a work-in-progress Tailscale library written in Rust, with language bindings to C, Elixir, and Python. https://github.com/tailscale/tailscale-rs
Anthropic MCP Has Critical Flaw Enabling Full System Takeover
The Architectural Flaw at the Core of Anthropic's MCP according to OX allows complete system takeover in some cases. Of course they sell a tool to secure it but if using MCP you should understand how this works and how...
Cloudflare, GoDaddy Team Up to Give Marketers Control Over AI Crawlers
Cloudflare and GoDaddy announced a strategic partnership that integrates Cloudflare’s AI Crawl Control into GoDaddy’s hosting platform and introduces the ANS open standard for AI agent identity. The move aims to give website owners and marketers visibility into AI‑generated traffic,...
WordPress Plugin Flaw Lets Attackers Bypass Login, Seize Admin Control
A critical WordPress plugin flaw allows attackers to bypass authentication and gain full administrative control, exposing websites to data theft and malware attacks. https://t.co/lNfDVZAz0K
X Patches VPN Loophole, Reveals True Foreign Accounts
Looks like X finally fixed the VPN loophole that let our overseas competitors show up as 🇺🇸 This is accurate now except @splash_247 is registered in Singapore with an Australian office and @tradewindsnews is Norwegian. TW does employ a few American...
Microsoft, Stellantis Ink Five‑Year AI Deal to Transform Vehicle Software
Microsoft and Stellantis announced a five‑year strategic partnership to co‑develop more than 100 AI initiatives, migrate the automaker’s IT to Azure, and boost cybersecurity. The deal aims to close the technology gap with software‑centric rivals and give Stellantis a unified...
Five Teams Unite to Recover Funds and Boost NEAR Security
In trying times like this it was great to see collaboration between 5 different ecosystem teams and also global partners to track down what happened, responsible actor and recover funds. Security and resilience is going to be an ever more important...
Avoid Eth_limo URLs After DNS Attack Warning
The kind people at @eth_limo have warned me that there has been an attack on their DNS registrar. So please do not visit https://t.co/BVfZIYrDKe or other https://t.co/OgoUF2qKUY pages until they confirm that things are back to normal. You can check my...
Anthropic CEO Dario Amodei Meets White House Chief of Staff Over Access to Mythos AI Model
Anthropic chief executive Dario Amodei sat down with White House chief of staff Susie Wiles on April 17 to negotiate government access to the company’s Mythos AI model. The meeting, described as “productive and constructive,” comes as the Pentagon has...
AI Emerges as Leading Data Security Threat
AI Becomes A Top Data Security Concern - Fintech Schweiz Digital Finance News - FintechNewsCH https://t.co/c4BCBKY7Qu https://t.co/5EUNVC4oiQ
DeFi Hacks Surge After $280 Million Drift Protocol Exploit, Raising Banking Security Concerns
More than a dozen DeFi protocols have been compromised in the two weeks after the $280 million Drift Protocol exploit on April 1. The cascade of attacks, including a $7.6 million breach at Rhea Finance, underscores the growing vulnerability of crypto‑linked assets that...
Nigeria’s Digital Payments Surge, but Fraud Losses Top $110 M
Nigeria’s digital payment ecosystem has expanded more than 300% since 2019, processing trillions of naira each month. At the same time, fraud losses have surged past ₦52 billion ($113 million), exposing gaps in security. Regulators and banks are now racing to align...
IBM Urges Immediate Shift to Quantum‑Safe Crypto as Quantum PCs Near Breakthrough
IBM announced that fault‑tolerant quantum computers may reach cryptographic relevance by the end of the decade, prompting the company to accelerate its quantum‑safe roadmap. The tech giant highlighted its role in co‑authoring three of four NIST post‑quantum algorithms in 2024...
AMD FP-DSS Security Bug For Zen 1 CPUs Made Public, Linux Kernel Patched
A floating‑point divider state sampling (FP‑DSS) vulnerability has been disclosed for AMD Zen 1 and Zen 1+ processors, including early Ryzen and EPYC chips. The flaw is a transient‑execution issue that could let a locally‑privileged attacker extract data through the floating‑point divisor...
Zoom Adds World ID Biometric Verification to Curb Deepfake Fraud in Meetings
Zoom announced a partnership with Sam Altman’s World ID to embed biometric human verification into its video‑conferencing platform. The new "Verified Human" badge, backed by iris‑scan technology, targets deep‑fake fraud that has already cost businesses more than $200 million in the...