NIST Cuts Down CVE Analysis Amid Vulnerability Overload
The National Institute of Standards and Technology announced it will scale back enrichment of its National Vulnerability Database, concentrating only on the most critical CVEs—those in CISA’s Known Exploited Vulnerabilities catalog and software used by the federal government. The change follows a 263% surge in CVE submissions from 2020‑2025, leaving a backlog of over 30,000 entries despite enriching 42,000 CVEs in 2025. NIST will label non‑priority entries as “not scheduled” and will no longer calculate severity scores when vendors provide them. The agency plans to deploy AI, automation and CNA delegation to handle the growing volume.
North Korea Targets macOS Users in Latest Heist
North Korean Lazarus Group offshoot Sapphire Sleet is targeting macOS users with a fake Zoom SDK update delivered via a malicious AppleScript. The campaign begins with LinkedIn recruiter scams aimed at finance professionals, then tricks victims into running the script, which...
Newly Discovered PowMix Botnet Hits Czech Workers Using Randomized C2 Traffic
Cybersecurity researchers have warned of an active malicious campaign that's targeting the workforce in the Czech Republic with a previously undocumented botnet dubbed PowMix since at least December 2025. "PowMix employs randomized command-and-control (C2) beaconing intervals, rather than persistent connection to the C2...
If You Want Into Anthropic's Claude Club, You May Have to Show ID
Worse: Anthropic is using Persona, a privacy checker that rings alarm bells for the paranoids on Reddit Anthropic may check your ID before letting you access certain Claude features, and the verification vendor it has picked is the same outfit that...
Cinia Taps Nokia for DDoS Protection of Critical Infrastructure
Cinia announced a new managed security service that leverages Nokia’s Deepfield Defender to provide 24/7 DDoS protection for its critical infrastructure networks. The AI‑based solution embeds detection and mitigation directly into the transport layer, giving Finnish customers real‑time threat awareness....
Mythos Poses Risk to SEC Market-Tracking Database, Group Says
Anthropic's new AI model could put traders and the broader financial system at risk through the Consolidated Audit Trail, the American Securities Association said.
Fragmented Regulation Complicates Telco Sovereignty Agenda – Omdia
Omdia spells out telcos' 'unique challenges' in implementing data sovereignty requirements compared to other businesses.
Critical MCP Vulnerability in Nginx-UI Now Actively Exploited in the Wild
The open‑source nginx‑UI, a web interface for managing Nginx configurations, has been found to lack authentication middleware, creating a critical Missing Control Plane (MCP) vulnerability. With over 11,000 GitHub stars and more than 430,000 Docker pulls, the tool is widely...
ThreatsDay Bulletin: Defender 0-Day, SonicWall Brute-Force, 17-Year-Old Excel RCE and 15 More Stories
You know that feeling when you open your feed on a Thursday morning and it's just... a lot? Yeah. This week delivered. We've got hackers getting creative in ways that are almost impressive if you ignore the whole "crime" part, ancient vulnerabilities somehow...
Bitcoin’s Quantum Migration Plan Forces the Network to Choose Between Frozen and Stolen Coins
Bitcoin’s BIP 361 draft proposes a three‑phase migration that would block new sends to quantum‑vulnerable addresses, then freeze legacy ECDSA/Schnorr coins, and possibly allow recovery via zero‑knowledge proofs. The plan follows BIP 360’s Pay‑to‑Merkle‑Root format and targets the roughly 34% of BTC...
Fashion Retailer Express Left Customers’ Personal Data and Order Details Exposed to the Internet
Express, a major U.S. fashion retailer, patched a website flaw that let anyone view other shoppers’ order confirmations. The vulnerability exposed names, contact details, addresses, purchase items and partial credit‑card data for at least a dozen customers, all accessible by...
Kenya’s LOLC Microfinance Bank Directors Risk Prosecution in Data Enforcement Case
Kenya’s Office of the Data Protection Commissioner (ODPC) has recommended criminal prosecution of directors at LOLC Microfinance Bank after the lender ignored a formal request to justify publishing a former employee’s personal data. The regulator found the bank unlawfully processed...
Behind the Mythos Hype, Glasswing Has Just One Confirmed CVE
Anthropic’s Project Glasswing, the gated access program behind its Mythos AI, has produced only one publicly attributed CVE (CVE‑2026‑4747) according to VulnCheck’s analysis. While Anthropic researchers are credited with 40 CVEs overall, the majority stem from external collaborations rather than...
Splunk Enterprise Update Patches Code Execution Vulnerability
Splunk released emergency patches for several critical flaws across its Enterprise, Cloud Platform, and MCP Server products. The most severe issue, CVE‑2026‑20204, allowed low‑privileged users to upload malicious files and achieve remote code execution due to improper handling of temporary...
Overstretched NIST to Limit CVE Enrichments
The U.S. National Institute of Standards and Technology (NIST) announced it will stop enriching every CVE entry in its National Vulnerability Database due to a surge in submissions. CVE submissions rose 263 % between 2020 and 2025, overwhelming NIST’s resources. Going...
