AI evaluation startup Braintrust confirms AWS account breach exposing AI provider API keys. All org admins must rotate secrets immediately. Timeline and steps
ShinyHunters breached Zara parent Inditex via analytics vendor Anodot, stealing 192 GB from Google BigQuery. 197,000 records now in Have I Been Pwned.
PamDOORa is a commercial Linux PAM backdoor sold on the Rehub Russian cybercrime forum. It installs a magic-password hook into the SSH auth
Malwarebytes researchers find NWHStealer, a Rust-based infostealer, being distributed via the Bun JavaScript runtime to evade antivirus detection on Windows systems.
Iranian APT MuddyWater disguised a state-sponsored espionage operation as a Chaos ransomware attack, using Microsoft Teams social engineering to steal credentials and data.
Research analyzing 100M+ underground forum posts finds cybercriminals struggling to adopt AI meaningfully, safety guardrails holding, and AI slop flooding their own platforms.
ClaudeBleed is a Chrome extension vulnerability in Anthropic's Claude that lets any malicious extension inject prompts and exfiltrate Gmail, GitHub, and Drive data.
A step-by-step technical breakdown of the SHA-1 algorithm — padding, message schedule, 80-round compression, security status, and migration to SHA-256.
Australia's ACSC warns of an active ClickFix campaign using compromised WordPress sites to deliver Vidar Stealer across multiple Australian sectors. Mitigations inside.
Kaspersky researchers attribute malicious PyPI packages delivering ZiChatBot malware to OceanLotus APT, using Zulip team chat REST APIs as covert command-and-control infrastructure.
