Security This Week

ConsentFix: Analysing a browser-native ClickFix-style attack that hijacks OAuth consent grants

MongoDB warns admins to patch severe vulnerability immediately

PornHub extorted after hackers steal Premium member activity data

Attackers hit React defect as researchers quibble over proof

An ingenious Apple Service hoax is convincing users their account is under attack

Anthropic claims of Claude AI-automated cyberattacks met with doubt

Hackers Weaponize Windows Hyper-V to Hide Linux VM and Evade EDR Detection

No one pays ransomware demands anymore - so attackers have a new goal. Also: Ransomware Surge in Europe: Cybercriminals Exploit GDPR Penalties, Target Key Sectors

AWS crash causes $2,000 Smart Beds to overheat and get stuck upright

Skynet-1A: Military Spacecraft Launched 56 Years Ago Has Been Moved By Persons Unknown

Carl, Duane, and Patrick recorded this week's episode in front of a live audience at CyberSecurity Intersection, a cyber conference held at Universal Studio in Orlando, FL the week of October 5.

Japan's beer giant Asahi Group cannot resume production after cyberattack

U.S. Secret Service dismantles imminent telecommunications threat in New York tristate area

New attack on ChatGPT research agent pilfers secrets from Gmail inboxes

Hackers left empty-handed after massive NPM supply-chain attack

Salt Typhoon pwned 'nearly every American'

Someone Created the First AI-Powered Ransomware Using OpenAI's gpt-oss:20b Model

Security researcher driven by free nuggets unearths McDonald's security flaw — changing 'login' to 'register' in URL prompted site to issue plain text password for a new account

BitUnlocker – Multiple 0-days to Bypass BitLocker and Extract All Protected Data

Federal court filing system hit in sweeping hack

Minnesota National Guard activated, state of emergency declared after cyberattack against St. Paul

Microsoft SharePoint zero-day exploited in RCE attacks, no patch available

Russian alcohol retailer WineLab closes stores after ransomware attack

Call of Duty: WW2 pulled from PC following reports of remote code exploit trolling players with 'Notepad pop-ups, PC shutdowns' and desktop wallpaper of a lawyer

Quantum tech is coming — and with it a risk of cyber doomsday

Russian hackers bypass Gmail MFA using stolen app passwords.

https://www.malwarebytes.com/blog/news/2025/06/google-bug-allowed-phone-number-of-almost-any-user-to-be-discovered

BADBOX 2.0 Android malware infects millions of consumer devices

Meta found 'covertly tracking' Android users through Instagram and Facebook

Signal says no to Windows 11’s Recall screenshots

Chinese ‘kill switches’ found hidden in US solar farms

You can now submit your claims for Apple’s $95 million Siri spying settlement

Apple 'AirBorne' flaws can lead to zero-click AirPlay RCE attacks

Android Spyware Disguised as Alpine Quest App Targets Russian Military Devices

Funding Expires for Key Cyber Vulnerability Database

Incomplete Patch in NVIDIA Toolkit Leaves CVE-2024-0132 Open to Container Escapes

Protect Yourself from Identity Theft and Fraud

National Security Officials Were Warned in February That Signal Was Vulnerable to Attack

Millions Of RSA Keys Expose Serious Flaws That Can Be Exploited

Undocumented commands found in Bluetooth chip used by a billion devices

Malicious Chrome extensions can spoof password managers in new attack

Microsoft deploys new state of matter in its first quantum computing chip

DOGE’s .gov site lampooned as coders quickly realize it can be edited by anyone

UK orders Apple to open up users' encrypted cloud data, report says

DeepSeek exposed internal database containing chat histories and sensitive data

Millions of Accounts Vulnerable due to Google’s OAuth Flaw

Hackers have devised a simple text scam to bypass Apple’s iPhone protections

Volkswagen leak exposed location data for 800,000 electric cars

Urgent New Gmail Security Warning For Billions As Attacks Continue

The numbers are almost incomprehensible!

Gamaredon Deploys Android Spyware "BoneSpy" and "PlainGnome" in Former Soviet States

FBI Warns iPhone And Android Users—Stop Sending Texts

Fortinet VPN design flaw hides successful brute-force attacks

Ruthless sextortion scammers now threatening to show up at your house

Schneider Electric ransomware crew demands $125k paid in baguettes

Hacked U.S. robot vacuums are yelling racial slurs and chasing pets!

https://thehackernews.com/2024/10/microsoft-reveals-macos-vulnerability.html

Hacking with a BBQ Lighter: The Unlikely Method to Gain Laptop Access

Lamborghini Carjackers Lured by $243M Cyberheist

Large language models hallucinating non-existent developer packages could fuel supply chain attacks

Severe Unauthenticated RCE Flaw (CVSS 9.9) in GNU/Linux Systems Awaiting Full Disclosure

New Details of Hezbollah Exploding Pagers' Supply Chain Emerge

New PIXHELL acoustic attack leaks secrets from LCD screen noise

Researchers find SQL injection to bypass airport TSA security checks

Windows Downdate tool lets you 'unpatch' Windows systems

Major Backdoor in Millions of RFID Cards Allows Instant Cloning

Zero-click Windows TCP/IP RCE impacts all systems with IPv6 enabled, patch now

Ronin Network hacked, $12 million returned by "white hat" hackers

Deleted GitHub data is forever accessible to anyone, researchers claim

We have a lot to say about last week's CrowdStrike incident

US Disrupts AI-Powered Russian Bot Farm on X

Dev rejects CVE severity, makes his GitHub repo read-only

Mitigating Skeleton Key is a new type of generative AI jailbreak technique

Microsoft Delays AI-Powered Recall Feature for Copilot+ PCs Amid Security Concerns

Microsoft Ignored Whistleblower Warnings Before SolarWinds Attack

Hacker Tool Extracts All the Data Collected by Windows’ New Recall AI

Zoom adds 'post-quantum' encryption for video nattering

Hear about what Carl learned about AI Security while at Microsoft Build in Seattle last week.

New WiFi Flaw Leaves All Devices Vulnerable to ‘SSID Confusion’ Attacks

The US Government Is Asking Big Tech to Promise Better Cybersecurity

An SEC security breach filing has us wondering!

GPT-4 Can Exploit Most Vulns Just by Reading Threat Advisories

Hackers targeted LastPass employee in failed deep fake CEO call.

Microsoft employees exposed internal passwords in security lapse

Red Hat warns of backdoor in XZ tools used by most Linux distros

New Darcula phishing service targets iPhone users via iMessage

New acoustic attack determines keystrokes from typing patterns

House passes bill that would ban TikTok if its Chinese owners don't sell the popular app.

Over 100,000 Infected Repos Found on GitHub!

White House urges devs to switch to memory-safe programming languages

Air Canada must honor refund policy invented by airline’s chatbot

Canada to ban the Flipper Zero to stop surge in car thefts

At least the API was thorough!

Mother of all breaches reveals 26 billion records!

How a 27-year-old busted the myth of Bitcoin’s anonymity

Microsoft fixes critical flaws in Windows Kerberos, Hyper-V

PornHub blocks North Carolina, Montana over new age verification laws

Blockchain dev's wallet emptied in "job interview" using npm package

Marketing Company Claims That It Actually Is Listening to Your Phone and Smart Speakers to Target Ads

50K WordPress sites exposed to RCE attacks by critical bug in backup plugin