The FBI, Google, and Lumen Technologies say they’ve dismantled a China-based phishing-as-a-service operation called Outsider Enterprise.

A software architect determined that they could practically install anything they want on the infotainment system of their 2021 Honda Civic through the front USB port. While the head unit required a signed AOSP file to update itself, the AOSP test key is publicly known, meaning anyone with the knowledge could potentially build their own update file and load it with malware.

Nightmare-Eclipse's vendetta against Microsoft and Windows continues apace — researcher publishes RoguePlanet and GreatXML local privilege escalation zero-day exploits

Hades malware campaign now tricks AI bots into not scanning development packages, as prompts for bio- and nuclear weapons trigger failsafe mechanisms.

AMD took over four months to fix a critical security bug in its autoupdater, and the security researcher didn't see a dime for his efforts

Security researcher Rasmus Moorats has demonstrated that Creative's Sound Blaster Katana V2X gaming soundbar can be hijacked over Bluetooth from up to 16 yards away.

Ssh, don't tell the customer anything.

9.8-rated Windows Server vulnerability can grants system privileges with just a malformed packet — domain controllers being exploited in the wild

FROST exploits the Origin Private File System (OPFS), a browser API that lets websites create and store files on a user's local disk.

Wide-ranging 7-zip vulnerability allows for code execution and has an 8.8 CVE rating, hundreds of millions of machines potentially vulnerable

Microsoft's GitHub bans security researcher who posted zero-day Windows exploits

Zero-Day clock visualizes the effect of AI on software security and predicts that exploits will happen one minute after disclosure in 2027.

Europol's Operation Saffron takes down privacy-focused First VPN service

GitHub has confirmed a breach involving roughly 3,800 internal repositories after an employee device was compromised through a malicious VS Code extension. The TeamPCP hacker group claims it stole internal source code and attempted to sell the data for at least $50,000.

Apple M5 architecture gets its first privilege escalation exploit

Microsoft Bitlocker-protected drives can be opened with just some files on a stick

Microsoft says attackers compromised the mistralai PyPI package with malware that executed on import, while researchers link related npm compromises affecting TanStack and Mistral SDKs to the broader “Mini Shai-Hulud” supply-chain campaign.

AI-assisted bug detection has massively accelerated the timeline in which new security vulnerabilities are discovered, and one researcher argues that has killed the standard 90-day disclosure policy.

Surfshark One+ with Incogni covers both real-time threats and removes your personal data from the internet—for $91.99 over 2 years.

(via Cult of Mac - Your source for the latest Apple news, rumors, analysis, reviews, how-tos and deals.)

Dirty Frag exploit gets root on most Linux machines since 2017, no patches available