Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Cybercriminals Exploit Telnyx Package in Latest Supply Chain Attack

  A cybercriminal group previously associated with a supply chain compromise involving the Trivy vulnerability scanner has launched another ...

All the recent news you need to know
Privacy
AI Data Email alias Internet Privacy

Why Email Aliases Are Important for Every User


Email spam was once annoying in the digital world. Recently, email providers have improved overflowing inboxes, which were sometimes confused with distractions and unwanted mail, such as hyperbolic promotions and efforts to steal user data. 

But the problem has not disappeared completely, as users still face problems sometimes. To address the issue, user can use email aliases. 

About email alias 

Email alias is an alternative email address that allows you to get mails without sharing your address. The alias reroutes all incoming mails to your primary account.

Types of email aliases 

Plus addressing: For organizing mail efficiently, you are a + symbol and a category, you can also add rules to your mail and filter them by source. 

Provider aliases: Mainly used for organizations to have particular emails for sections, while all mails go to the same inbox. 

Masked/forwarding aliases: They are aimed at privacy. Users don't give their real email, instead, a random mail is generated, while the email is sent to your real inbox. This feature is available with services like Proton Mail. 

How it protects our privacy 

Email aliases are helpful for organizing inbox, and can be effective for contacting business. But the main benefit is protecting your privacy. 

There are several strategies to accomplish this, but the primary one is to minimize the amount of time your email is displayed online. Your aliases can be removed at any moment, but they will still be visible and used. The more aliases you use, the more difficult it is to identify your real core email address. 

Because it keeps your address hidden from spammers, marketers, and phishing efforts, you will have more privacy. It is also simpler to determine who has exploited your data. 

Giving email aliases in specific circumstances makes it simpler to find instances when they have been abused. Instead of having to deal with a ton of spam, you can remove an alias as soon as you discover someone is abusing it and start over.

Aliases can be helpful for privacy, but they are not a foolproof way to be safe online. They do not automatically encrypt emails, nor do they cease tracking cookies.

The case of Apple

Court filings revealed that Apple Hide My Email, a function intended to protect genuine email addresses, does not keep users anonymous from law enforcement, raising new concerns about privacy.

With the use of this feature, which is accessible to iCloud+ subscribers, users can create arbitrary email aliases so that websites and applications never see their primary address. Apple claims it doesn't read messages; they are just forwarded. However, recent US cases show a clear limit: Apple was able to connect those anonymous aliases to identifiable accounts in response to legitimate court demands

Read more »
Yanluowang
Data Breach Ransomware Gang Russian Citizen U.S. Courts Yanluowang

Yanluowang Access Broker Gets 81 Months in Prison

 

A Russian national has been sentenced to 81 months in prison for acting as an initial access broker for Yanluowang ransomware attacks, in a case that highlights how criminal access markets fuel major extortion campaigns . Prosecutors said the defendant targeted at least eight U.S. companies, sold stolen access to ransomware operators, and helped enable ransom demands that ranged from hundreds of thousands of dollars to millions. 

Aleksey Olegovich Volkov, also known online as “chubaka.kor” and “nets,” pleaded guilty in November and admitted to hacking into corporate networks, stealing data, and passing that access along to the Yanluowang ransomware-as-a-service group . According to the report, the gang encrypted victims’ data, demanded payment in cryptocurrency, and shared the proceeds among participants. 

The investigation was built from a wide set of digital evidence, including chat logs, stolen files, victims’ credentials, and records recovered after the FBI seized a server linked to the ransomware operation. Investigators also traced Volkov through Apple iCloud data, cryptocurrency exchange records, social media accounts, and other identifiers tied to his passport and phone number. 

Court records showed that Volkov negotiated a share of ransom proceeds in exchange for delivering access to victim networks, and the FBI said his cut of collected ransoms reached $1.5 million. Prosecutors also noted that a screenshot recovered from his Apple account suggested a possible additional connection to the LockBit ransomware gang. 

Volkov was extradited to the United States after being arrested in Italy in January 2024, and he now must pay more than $9 million in restitution to victims . The Justice Department said he agreed to cover at least $9,167,198.19 in losses and forfeit equipment used in the crimes, underscoring the financial damage caused by ransomware support roles beyond the attackers who deploy the malware .
Read more »
Cyber Security
AI coding tools AI Cybersecurity Threats AI Risks AI technology Cyber risks Cyber Security

AI Coding Assistants Expose New Cyber Risks, Undermining Endpoint Security Defenses

 

Not everyone realizes how much artificial intelligence shapes online safety today - yet studies now indicate it might be eroding essential protection layers. At the RSAC 2026 gathering in San Francisco, insights came sharply into focus when Oded Vanunu spoke; he holds a top tech role at Check Point Software. 

His message? Tools using AI to help write code could actually open doors to fresh risks on user devices. Not everything about coding assistants runs smoothly, Vanunu pointed out during his talk. Tools like Claude Code, OpenAI Codex, and Google Gemini carry hidden flaws despite their popularity. Though they speed up work for programmers, deeper issues emerge beneath the surface. Security measures that have stood firm for years now face quiet circumvention. 

What looks like progress might also open backdoors by design. Despite gains in digital protection during recent years - tools like real-time threat tracking, isolated testing environments, and internet-hosted setups have made devices safer - an unforeseen setback is emerging. Artificial intelligence helpers used in software creation now demand broad entry into internal machines, setup records, along with connection points. Since coders routinely allow full control, unseen doors open. 

These openings can be used by hostile actors aiming to infiltrate. Progress, it turns out, sometimes carries hidden trade-offs. Now under pressure from AI agents wielding elevated access, Vanunu likened today’s endpoints to a once-solid fortress. These tools, automating actions while interfacing deeply with system settings, slip past conventional defenses unable to track such dynamic activity. 

A blind spot forms - silent, unnoticed - where malicious actors quietly move in. One key issue identified in the study involves the exploitation of config files like .json, .env, or .toml. While not seen as harmful by many, such file types typically escape scrutiny during security checks. Hidden within them, hostile code might reside - quietly waiting. Because systems frequently treat these documents as safe, automated processes, including AI-driven ones, could run embedded commands without raising alarms. 

This opens a path for intrusion that skips conventional virus-like components. Unexpected weaknesses emerged within AI coding systems, revealing gaps like flawed command handling. Some platforms allowed unauthorized operations by sidestepping permission checks. Running dangerous instructions became possible without clear user agreement in certain scenarios. Previously accepted tasks were altered silently, inserting harmful elements later. Remote activation of external code exposed further exposure points. 

Approval processes failed under manipulated inputs during testing. Even after fixing these flaws, one truth stands clear - security boundaries keep changing because of artificial intelligence. Tools meant to help coders do their jobs now open new doors for those aiming to break in. What once focused on systems has moved toward everyday software assistants. Fixing old problems does not stop newer risks from emerging through trusted workflows. 

Starting fresh each time matters when checking every AI tool currently running. One way forward involves separating code helpers into locked-down spaces where they can’t reach sensitive systems. Configuration files deserve just as much attention as programs that run directly. With more companies using artificial intelligence, old-style defenses might no longer fit the real dangers appearing now.
Read more »
Supply Chain Attack
CI CD Pipeline Cloud Security Credential Theft Cyber Attacks Kubernetes Security Malware Persistence Open Source Risk PyPI Compromise Python security Supply Chain Attack

Security Flaw in Popular Python Library Threatens User Machines


 

The software ecosystem experienced a brief but significant breach on March 24, 2026 that went almost unnoticed, underscoring how fragile even well-established development pipelines have become. As a result of a threat actor operating under the name TeamPCP successfully compromising the PyPI credentials of the maintainer, malicious code has been quietly seeded into newly published versions of the popular LiteLLM Python package versions 1.82.7 and 1.82.8.

LiteLLM itself was not the victim of the intrusion, but rather a previous breach involving Trivy, an open source security scanner integrated into the project's CI/CD pipeline, which effectively made a defensive tool into a channel for an attack. 

PyPI quarantined the tainted packages only after a limited period of approximately three hours when they were live, but the extent of potential exposure was significant due to the staggering number of downloads and installs of LiteLLM, which exceeds 3.4 million per day and 95 million per month, respectively. 

A powerful and unified interface for interacting with multiple large language model providers is provided by LiteLLM, a tool deeply embedded within modern artificial intelligence development environments. LiteLLM frequently operates in environments containing highly sensitive assets such as API credentials, cloud configurations, and proprietary information. 

The incident illustrates not only a fleeting compromise; it also illustrates a broader and increasingly urgent reality that the open source supply chain remains vulnerable to exactly the types of indirect, multi-stage attacks that are the most difficult to detect and the most damaging when they are successful in a global software development environment. This incident was not simply the result of code tampering; it was a carefully designed, multi-stage intrusion intended to exploit environments that are heavily automated and trusted. 

The threat group TeamPCP leveraged its access in order to introduce two trojanized versions of LiteLLM - versions 1.82.7 and 1.82.8 - which contained obfuscated payloads embedded in core components of the package, namely within the module litellm/proxy/proxy_server.py. 

While the insert was subtle, positioned between legitimate code paths, and encoded so as to evade immediate attention, it ensured execution at import, an important point in the development lifecycle that virtually ensures activation in production environments. 

An even more durable mechanism was introduced in the subsequent version by the attackers as a malicious .pth file directly embedded within the site-packages directory, which was used to extend their foothold. As a result of exploiting Python's internal initialization behavior, the payload executed automatically upon every interpreter startup, regardless of whether LiteLLM itself was ever invoked again. Using detached subprocess calls, the malicious logic was able to operate without visibility, effectively bypassing conventional monitoring tools which focus on application execution. 

Designing the payload reflected an in-depth understanding of cloud-native architectures and the dense concentrations of sensitive information contained within them. When activated, the code acted as a comprehensive orchestration layer capable of conducting reconnaissance, credential harvesting, and environment mapping.

Through a systematic process of traversing the host system, SSH keys, cloud provider credentials, Kubernetes configurations, container registry secrets, and environment variables were extracted. Additionally, managed services were probed further for information.

Cloud-based environments utilize native authentication mechanisms, such as AWS instance metadata, to generate signed requests and retrieve secrets directly from services such as Secrets Manager and Parameter Store, extending its reach beyond traditional disk-based storage or network access. 

A comprehensive collection process was conducted, including infrastructure-as-code artifacts, continuous integration and continuous delivery configurations as well as cryptographic material, database credentials, and developer shell histories, effectively turning each compromised device into an extensive repository of exploitable information. 

Data exfiltration was highly sophisticated, utilizing layered encryption and infrastructure that blended seamlessly into legitimate traffic patterns to exfiltrate data. After compression, encryption, and asymmetric key wrapping, stolen data was transmitted to a domain fabricated to resemble legitimate LiteLLM infrastructure before being encrypted.

As a consequence, even intercepted traffic would be of little value without access to the attacker's private key, complicating the forensic analysis and response process. Furthermore, the operation demonstrated a clear emphasis on persistence and lateral expansion, particularly within Kubernetes environments. 

As service account tokens were present in the payload, it initiated cluster-wide reconnaissance, deployed privileged pods across all nodes, including control-plane systems, and mounted host filesystems and bypassed scheduling restrictions. It then introduced a secondary persistence layer that was disguised as a benign system telemetry service within user-level configurations of systemd.

During periodic communication with a remote command-and-control endpoint, this component provided operators with the ability to deliver additional payloads, update tooling, or terminate the activity by using a built-in kill switch. In summary, the incident indicates that operational maturity extends beyond opportunistic exploitation, demonstrating a level of operational maturity. 

The team PCP successfully maximized the return on each compromised host by targeting LiteLLM, a gateway technology at the intersection of multiple artificial intelligence providers. This allowed them access not only to infrastructure credentials, but also to a wide variety of API keys that cover numerous large language model platforms. 

As a result, the compromise of one, widely trusted component can have alarming ripple effects across entire development and production environments with alarming speed and precision in an ecosystem increasingly characterized by interconnected dependencies. Organizations must reevaluate trust boundaries within their software supply chains in the aftermath of the incident, as remediation is no longer the only priority for organizations.

As security teams are increasingly being encouraged to adopt a zero-trust approach towards third-party dependencies, verification does not end when the product is installed, but continues throughout the entire execution lifecycle. 

Among these measures are the enforcing of strict version pins, verifying package integrity using trusted sources, and developing continuous monitoring mechanisms that will detect anomalous behavior at runtime as opposed to simply relying on static analysis. 

The strengthening of continuous integration/continuous delivery pipelines—especially their tools—has emerged as a critical control point, as this attack demonstrated how upstream compromise can cascade downstream without significant resistance. 

An institutionalization of rapid response playbooks is equally important in order to ensure that credentials are rotated, systems are isolated, and forensic validation is conducted without delay when anomalies are discovered. 

As the use of interconnected AI frameworks continues to increase, security responsibilities are shifting from reactive patching to proactive resilience, where detection, containment, and recovery of supply chain intrusions become as essential as preventing them.
Read more »
ransomware attack US government
Connecticut hacking incident Cyber Attacks Inc ransomware group Meriden cyberattack ransomware attack US government

Ransomware Group Inc Claims Cyberattack on Meriden, Connecticut Amid Ongoing Service Disruptions

 

A ransomware gang known as Inc has claimed responsibility for a cyberattack targeting the city of Meriden, Connecticut, over the weekend, adding to growing concerns about attacks on public sector systems.

City officials first disclosed issues on February 17, noting that several municipal services had been disrupted for weeks. Residents experienced delays in services such as water billing, while operations at the city clerk and tax collector’s offices continued to face restoration challenges even more than a month later.

The group Inc published its claim on its data leak platform, sharing sample screenshots of what it alleges are documents taken from the city’s systems. However, Meriden authorities have not confirmed the group’s involvement, and independent verification of the breach details remains unavailable. It is still unclear what information may have been accessed, how the attackers infiltrated the network, whether any ransom was paid, or the amount demanded. Officials have not issued further clarification following outreach for comment.

"The City of Meriden recently identified an attempted interruption of our internet services," says Scarpati's February 17 notice.

"This will not affect any emergency services provided to the city. However, non-essential services may be limited or altered until the internet is restored. "

Inc is a ransomware operation that emerged in July 2023 and has since targeted organizations across sectors such as healthcare, education, and government. The group typically relies on tactics like spear phishing and exploiting known software vulnerabilities to gain access to systems. Once inside, it deploys malware capable of both extracting sensitive data and encrypting systems, demanding payment in exchange for restoration.

Since its emergence, Inc has claimed involvement in 704 cyberattacks, with 175 incidents confirmed by affected organizations. Among these confirmed cases, 25 involved government entities.

Earlier in April, the group also took responsibility for breaching Namibia Airports Company, which manages several major airports in the country.

So far in 2026, Inc has reported 124 attacks, of which 11 have been verified by the impacted organizations.

Rising Ransomware Threats to US Government

Researchers have identified at least 10 confirmed ransomware incidents affecting US government entities in 2026 alone, underscoring a persistent threat to public infrastructure.

Recent cases include an attack on the Jackson County, Indiana sheriff’s office, which stated it would not comply with ransom demands. Meanwhile, Foster City, California, has recently restored its communication systems following a cyberattack that began in mid-March.

Other municipalities and institutions reporting similar incidents include Passaic County, New Jersey; Midway, Florida; Winona County, Minnesota; New Britain, Connecticut; Tulsa International Airport, Oklahoma; Huntington, West Virginia; and Hart, Michigan.

Ransomware attacks on government systems can have far-reaching consequences, from data theft to widespread service outages. Critical functions such as billing, court records, and emergency response systems may be affected. Authorities often face a difficult decision between paying ransom demands to regain access or dealing with prolonged disruptions, potential data loss, and increased risks of fraud.
Read more »
Software
Android App Developers Apple Apps Google Google Play malware Software

Google Rolls Out Android Developer Verification to Curb Anonymous App Distribution

 



Google has formally begun rolling out a comprehensive verification framework for Android developers, a move aimed at tackling the persistent problem of malicious applications being distributed by actors who operate without revealing their identity. The company’s decision reflects growing concerns within the mobile ecosystem, where anonymity has often enabled bad actors to bypass accountability and circulate harmful software at scale.

This rollout comes in advance of a stricter compliance requirement that will first take effect in September across key markets including Brazil, Indonesia, Singapore, and Thailand. These regions are being used as initial enforcement zones before the policy is gradually expanded worldwide next year, signaling Google’s intent to standardize developer accountability across its global Android ecosystem.

Under the new system, developers who distribute Android applications outside of the official Google Play marketplace will now be required to register through the Android Developer Console and verify their identity credentials. This requirement is particularly substantial for developers who rely on alternative distribution methods such as direct APK sharing, enterprise deployment, or third-party app stores, as it introduces a layer of traceability that previously did not exist.

At the same time, Google clarified that developers already publishing applications through Google Play and who have completed existing identity verification processes may not need to take further action. In such cases, their applications are likely to already comply with the updated requirements, reducing friction for those operating within the official ecosystem.

Explaining how this change will affect end users, Matthew Forsythe, Director of Product Management for Android App Safety, emphasized that the vast majority of users will not notice any difference in their day-to-day app installation experience. Standard app downloads from trusted sources will continue to function as usual, ensuring that usability is not compromised for the general public.

However, the experience changes when a user attempts to install an application that has not been registered under the new verification system. In such cases, users will be required to proceed through more advanced installation pathways, such as Android Debug Bridge or similar technical workflows. These methods are typically used by developers and experienced users, which effectively limits exposure for less technical individuals.

This design introduces a deliberate separation between general users and advanced users. While everyday users are shielded from potentially unsafe applications, power users retain the flexibility to install software manually, albeit with additional steps that reinforce intentional decision-making.

To further support developers, Google is integrating visibility into its core development tools. Within the next two months, developers using Android Studio will be able to directly view whether their applications are registered under the new system at the time of generating signed App Bundles or APK files. This integration ensures that compliance status becomes part of the development workflow rather than a separate administrative task.

For developers who have already completed identity verification through the Play Console, Google will automatically register eligible applications under the new framework. This automation reduces operational overhead and ensures a smoother transition. However, in cases where applications cannot be automatically registered, developers will be required to complete a manual claim process to verify ownership and bring those apps into compliance.

In earlier guidance, Google also outlined how sideloading, the practice of installing apps from outside official stores, will function under this system. Advanced users will still be able to install unregistered APK files, but only after completing a multi-step verification process designed to confirm their intent.

This process includes an authentication step to verify the user’s decision, followed by a one-time waiting period of up to 24 hours. The delay is not arbitrary. It is specifically designed to disrupt scam scenarios in which attackers pressure users into quickly installing malicious applications before they have time to reconsider.

Forsythe explained that although this process is required only once for experienced users, it has been carefully structured to counter high-pressure social engineering tactics. By introducing friction into the installation process, the system aims to reduce the success rate of scams that rely on urgency and manipulation.

This development is part of a wider industry tendency toward tightening control over app ecosystems and improving user data protection. In a parallel move, Apple has recently updated its Developer Program License Agreement to impose stricter rules on how third-party wearable applications handle sensitive data such as live activity updates and notifications.

Under Apple’s revised policies, developers are explicitly prohibited from using forwarded data for purposes such as advertising, user profiling, training machine learning models, or tracking user location. These restrictions are intended to prevent misuse of real-time user data beyond its original functional purpose.

Additionally, developers are not allowed to share this forwarded information with other applications or devices, except for authorized accessories that are explicitly approved within Apple’s ecosystem. This ensures tighter control over how data flows between devices.

The updated agreement also introduces further limitations. Developers are barred from storing this data on external cloud servers, altering its meaning in ways that change the original content, or decrypting the information anywhere other than on the designated accessory device. These measures collectively aim to preserve data integrity and minimize the risk of misuse.

Taken together, this charts a new course across the technology industry toward stronger governance of developer behavior, application distribution, and data handling practices. As threats such as malware distribution, financial fraud, and data exploitation continue to evolve, platform providers are increasingly prioritizing transparency, accountability, and user protection in their security strategies.

Read more »
Subscribe to: Comments (Atom)

Featured