Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Malware Attack
Cyber Attacks Cyber Breaches Cyber websites data security Fake Windows Linux Linux Malware Malware Attack

JDownloader Website Breach Spreads Malware Through Fake Windows and Linux Installers

 

In early May 2026, the official website for JDownloader was compromised, causing users to unknowingly download infected installers instead of legitimate software. During the two-day breach window, attackers replaced Windows and Linux setup files with malicious versions carrying hidden malware. Researchers later discovered that the Windows payload deployed a stealthy Python-based remote access trojan capable of giving attackers control over infected systems. 

Because the files appeared authentic and came directly from a trusted source, many users installed them without suspicion. JDownloader remains one of the most widely used download automation tools, supporting downloads from hosting services, streaming sites, and premium file-sharing platforms across Windows, Linux, and macOS. Its long-standing reputation and large user base made the attack especially dangerous, as users naturally trusted downloads from the official website. 

The issue first gained attention after a Reddit user reported Microsoft Defender warnings while downloading updated installers from the JDownloader website. The files showed suspicious digital signatures linked to unknown names like “Zipline LLC” and “The Water Team” instead of AppWork GmbH, the legitimate developer. Community concern quickly spread online, prompting the development team to investigate. 

Soon after, JDownloader confirmed that attackers had exploited an unpatched flaw in the site’s content management system to modify download links and redirect users toward malicious third-party installers. Developers stated that the compromise was limited to public-facing web content and did not extend to deeper server infrastructure or operating system-level access. The team later clarified that only the Windows “Alternative Installer” downloads and Linux shell installer links were affected. 

Other distribution channels, including macOS packages, Flatpak, Winget, Snap releases, in-app updates, and the main JAR package, remained secure throughout the incident. Developers urged users to verify installer authenticity by checking digital signatures within file properties. Legitimate files should display a verified signature from AppWork GmbH, while unsigned installers or files signed by unfamiliar publishers should be avoided immediately. 

Cybersecurity researcher Thomas Klemenc later analyzed the malicious Windows files and found they acted as loaders for a heavily obfuscated Python-based remote access tool. According to his findings, the malware could execute remote commands through command-and-control servers, silently turning infected devices into attacker-controlled systems. Analysis of the Linux shell installer also uncovered injected malicious code designed to download disguised payloads from suspicious domains. 

Once executed, the malware installed hidden binaries, created persistence mechanisms, elevated privileges using root-level configurations, and disguised itself as legitimate Linux system processes to avoid detection. Experts noted that parts of the Linux malware remain difficult to fully understand because the payload was heavily protected using obfuscation tools like Pyarmor, limiting deeper analysis. 

Although JDownloader stressed that only users who downloaded and executed installers during the breach window were at risk, security professionals strongly recommend reinstalling operating systems on infected machines. Since arbitrary code execution was possible, experts also advise resetting all passwords after cleaning affected devices due to potential credential theft. 

The attack reflects a growing cybersecurity trend in which hackers target trusted software platforms to distribute malware through compromised downloads. Similar incidents recently affected CPU-Z, HWMonitor, and DAEMON Tools, where attackers replaced legitimate installers with infected versions carrying hidden malware.  

As supply chain attacks continue increasing, cybersecurity experts stress the importance of checking digital signatures carefully and avoiding suspicious downloads, even on trusted software platforms.
Read more »
WolfSSL flaw
AI cybersecurity Anthropic Claude Mythos Preview Project Glasswing software vulnerabilities Vulnerabilities and Exploits WolfSSL flaw

Anthropic’s Project Glasswing Detects Over 10,000 Critical Software Vulnerabilities Worldwide

 

iArtificial intelligence company Anthropic has revealed that its cybersecurity initiative, Project Glasswing, has successfully identified more than 10,000 high- and critical-severity vulnerabilities across globally significant software systems since the program was introduced last month.

The initiative was designed as a defensive cybersecurity program aimed at strengthening critical software infrastructure worldwide. Through Project Glasswing, around 50 trusted partners receive early access to Claude Mythos Preview — an advanced AI model capable of autonomously discovering vulnerabilities in widely used software before malicious actors can exploit them.

According to Anthropic, 6,202 of the detected vulnerabilities were categorized as high or critical severity and affected over 1,000 open-source projects. Further review confirmed 1,726 of these findings as legitimate true positives, while 1,094 vulnerabilities were assessed as either high or critical in severity.

Among the major discoveries was a critical security flaw in WolfSSL identified as CVE-2026-5194, carrying a CVSS score of 9.1. The vulnerability could potentially allow attackers to forge certificates and impersonate legitimate services. Anthropic noted that the initiative has already contributed to 97 vulnerabilities being patched upstream along with the release of 88 security advisories.

"The relative ease of finding vulnerabilities compared with the difficulty of fixing them amounts to a major challenge for cybersecurity," Anthropic acknowledged. "Confronting this challenge successfully will make our software far safer than before."

The announcement comes amid a broader rise in AI-assisted vulnerability discovery, with software vendors releasing patches at an unprecedented pace. Microsoft recently indicated that the number of monthly security patches is expected to continue increasing over time.

Cybersecurity firm XBOW described Mythos Preview as "a major advance" that is "substantially better than prior models at finding vulnerability candidates" and "adept at analyzing source code with a security mindset." Researchers have also observed the model’s effectiveness in converting vulnerabilities into complete end-to-end attack chains.

Anthropic highlighted that the capabilities of Mythos Preview extend beyond vulnerability detection. In one reported incident, a banking partner participating in Glasswing used the AI model to identify and block a fraudulent wire transfer worth $1.5 million after a threat actor compromised a customer’s email account and attempted spoofed phone calls.

The company warned that AI models with capabilities similar to Mythos could become widely accessible in the near future, prompting a need for organizations to accelerate their patch management processes. Oracle has already transitioned to a monthly patch cycle to respond more quickly to critical security vulnerabilities.

"Network defenders should shorten their patch testing and deployment timelines," Anthropic said. "These include steps like hardening networks' default configurations, enforcing multi-factor authentication, and keeping comprehensive logs for detection and response."

Anthropic also announced the launch of its Cyber Verification Program, which allows verified security researchers to use its AI models without standard guardrails for legitimate cybersecurity activities such as penetration testing, vulnerability research, and red teaming. The move mirrors OpenAI’s Daybreak initiative, which enables defenders to work with GPT-5.5-Cyber for specialized security workflows.

Despite their advanced capabilities, models such as Mythos Preview and GPT-5.5-Cyber have not yet been publicly released due to concerns surrounding potential misuse and the absence of sufficient safeguards against large-scale abuse.

"Glasswing helps the most systemically important cyber defenders gain an asymmetric advantage," it pointed out. "However, there is an urgent need for as many organizations as possible to shore up their cyber defenses. We hope that our generally available models, and the new tools, resources, and research we're providing to accompany them, will support those organizations to improve their cybersecurity posture."
Read more »
Vulnerabilities and Exploits
Claude AI Google Ads Mac Users User Security Vulnerabilities and Exploits

Hackers Abuse Google Ads and Claude.ai Chats to Spread Mac Malware

 

Cybercriminals are once again abusing trust, and this time they are combining Google Ads with Claude.ai shared chats to push malware onto Mac users. The campaign targets people searching for terms like “Claude mac download,” where sponsored results appear to point to the legitimate claude.ai domain but actually lead to malicious installation instructions. Security researcher Berk Albayrak first identified the scheme, and confirmed that attackers are using the tactic in active campaigns. 

The attack works because it looks believable at first glance. Users click a sponsored search result, land on a public Claude chat, and see what appears to be an official “Claude Code on Mac” guide, sometimes even attributed to Apple Support. That page then tells them to open Terminal and paste a command. Instead of installing useful software, the command quietly downloads and runs malware on the victim’s Mac.

What makes the operation especially dangerous is the way it blends legitimate services with deception. The ad itself can show the real claude.ai domain, which helps the link look safe, while the malicious instructions are hidden inside Claude’s shared chat feature. In some variants, the payload is linked to MacSync-style infostealer behavior, aimed at harvesting browser credentials, cookies, and Keychain data. Researchers also reported that multiple malicious chats were being used, showing that the operators are testing and rotating infrastructure. 

The campaign is a strong reminder that search results and AI platforms are not automatically trustworthy just because they appear familiar. Attackers increasingly rely on “clickfix” tactics, where the victim is convinced to copy and run a command manually, bypassing many traditional download warnings. That user action becomes the infection point, making the social engineering as important as the malware itself.

Mac users should avoid sponsored search results when looking for software downloads and instead go directly to the official site by typing the address themselves. Any chat, guide, or support page that instructs users to paste Terminal commands should be treated with caution, especially if it claims to come from Apple or a well-known AI service. The broader lesson is simple: when an instruction asks you to run code on your own computer, pause and verify before acting.
Read more »
ShinyHunters
Canvas LMS Data Breach Instructure Breach Login Page Defacement Ransomware Attack School Cyberattack ShinyHunters

Threat Campaign Targets School Login Systems After Alleged Instructure Hack


 

The initial appearance of a routine service disruption within one of the most widely used academic learning platforms in the world quickly evolved into a significant cybersecurity issue as threat actors associated with the ShinyHunters group allegedly compromised Instructure's Canvas system. 

A large number of educational institutions experienced widespread operational instability as a result of the incident, which exposed sensitive academic and identity-related records, disrupted coursework timelines, and resulted in the defacement of several school authentication portals. 

A growing concern over the potential release of a data set reportedly affecting thousands of institutions as well as hundreds of millions of students and employees led Instructure to reveal that it had reached an agreement with the unauthorised actor responsible for the intrusion language that cybersecurity analysts interpreted as an indication of ransom negotiations. ShinyHunters collective claims to have successfully compromised Instructure's infrastructure for the second time in just a few weeks, further escalating the issue. 

The breach resulted in school authentication portals were made public and were affected in addition to backend systems. The incidents took place during final examination periods across several institutions using Canvas, causing even more disruption for administrators, educators, and students experiencing intermittent outages as a result of the earlier intrusion disclosed on April 30.

The Instructure platform had acknowledged that "criminal threat actors" were responsible for unauthorized access to parts of its environment, but subsequent activity indicates the attackers were still able to manipulate externally accessible services. 

When threat actors were reportedly injected malicious HTML components into Canvas login pages, unauthorized message prompts were found attributed to ShinyHunters, effectively defacing the authentication screens utilized for coursework management, assignment submissions, and academic communication, multiple Canvas login pages were later found displaying unauthorized messages attributed to ShinyHunters.

According to the message posted by the group, the allegedly stolen data will be made public on May 12 unless the company enters into a "settlement" negotiations. Parts of Instructure's online infrastructure appeared unstable during the escalation process, with some services intermittently returning "too many requests" errors while Canvas displayed maintenance notices indicating ongoing remediation and containment efforts throughout the company's network infrastructure. 

According to further disclosures, the breach affected a wide spectrum of academic stakeholders, including students, faculty, and institutional staff, with portions of information reportedly relating to minors. Despite Instructure's claims that passwords and highly sensitive authentication credentials were not compromised, the attackers are said to have obtained substantial amounts of information regarding personal identification and platform usage, such as usernames, e-mail addresses, student identification numbers, and private communications exchanged within the learning management system. 

According to the company, the initial compromise was terminated, remediation measures were implemented across the affected systems, and Canvas services were restored after containment procedures were initiated to prevent additional intrusions. However, ShinyHunters later stated it had successfully breached the platform again, this time targeting institution-specific authentication portals, thereby putting the company under pressure to enter into a settlement negotiation related to the earlier data theft, despite these efforts. 

As part of the extortion attempt, the group used stolen data as a means of coercion following network intrusions, which is a well-established operational pattern, however, the apparent recurrence of unauthorized access raised concerns regarding residual vulnerability issues within Instructure's network infrastructure. Canvas was brought offline once again following the second disruption, prompted the company to remove the component identified as being at the root of the incident  the Free-for-Teacher environment. 

Instructure acknowledged in an updated incident disclosure that investigators had identified a vulnerability associated with support ticket functionality within the Free-for-Teacher system, which threat actors allegedly exploited to facilitate the latest security breach. By putting the incident on its leak portal, ShinyHunters had earlier accepted public responsibility for the initial intrusion. 

The tactic is commonly used by ransomware and extortion-focused groups to increase pressure on targets by threatening data release under controlled circumstances. In the wake of the recent compromise, the attackers have attempted to reach out directly to media outlets regarding the defaced Canvas login pages, suggesting they are attempting to escalate the attack not only against Instructure but also against the thousands of educational institutions that rely on the platform for their operations. During ongoing negotiations regarding the previously stolen data, cybersecurity analysts viewed the public defacement as an attempt to amplify reputational and operational pressures. 

In spite of the fact that there is no clear indication of how the school-specific authentication pages were compromised, ShinyHunters officials have indicated the breach has been a separate one from the original attack, but declined to provide any further technical information regarding the method used to gain access to the system. 

The group claims to have stolen data from nearly 9,000 educational institutions around the world; these records are believed to belong to approximately 231 million people. Following the earlier compromise, the group claimed to have exfiltrated information related to nearly 9,000 educational institutions. 

A key component of the campaign was a mirroring of the threat group's established operating model, which is typically composed of a combination of network intrusion, public exposure of victims through leak sites, and sustained extortion efforts to maximize financial leverage following the theft of large amounts of data. There has been an increased focus on security architecture of cloud-based education platforms in the wake of the incident, which has become a critical infrastructure for academic operations worldwide.

In addition to disrupting coursework and institutional systems for the immediate period, the exposure of student communications and identity-linked records, particularly involving minors, demonstrates the long-term risks associated with large-scale compromises of digitally centralized learning environments. 

During the remediation and forensic investigation efforts, Instructure is likely to establish the breach as a landmark in the field of ransomware and extortion, which increasingly target educational technology ecosystems where operational urgency and reputational pressure can lead to high-stakes cybersecurity incidents.
Read more »
data security
AI coding tools Consumer Data Exposure Corporate Data Breach cybersecurity vulnerabilities Data Breach data security

AI Coding Tools Expose Thousands of Apps With Sensitive Corporate Data Online

 

Thousands of web applications built using AI coding tools have been found publicly accessible online without proper security protections. Researchers at RedAccess identified more than 5,000 exposed apps tied to companies, many revealing private information to anyone with the correct URL. Employee records, customer conversations, system plans, and financial files were among the exposed materials. The problem wasn’t faulty code but missing security setup steps that many users overlooked. 

In many cases, public access remained enabled long after deployment, creating silent data leaks that went unnoticed for months. Many of the vulnerable apps were created using platforms like Replit, Netlify, Base44 owned by Wix, and Lovable. Nearly 2,000 apps appeared to contain genuine sensitive information, including advertising spending reports, company strategy documents, chatbot logs, customer contact details, hospital personnel records, and financial summaries. 

According to RedAccess researcher Dor Zvi, the issue is linked to the rise of “vibe coding,” where non-technical employees use AI tools to rapidly build and publish web applications. Since these platforms make development extremely simple, apps can go live within minutes without any review from engineering or cybersecurity teams. Researchers found the exposed apps through basic Google and Bing searches because many AI coding services host projects publicly on shared domains by default. 

Some applications exposed private information without requiring logins, while others reportedly allowed outsiders to gain administrative control over backend systems. The exposed data covered multiple industries. Hospital staff schedules listing doctors’ identities appeared alongside marketing strategy presentations, shipping records, retailer chatbot conversations, and detailed advertising campaign budgets. Such leaks could expose sensitive competitive information, including business planning timelines and financial allocations. 

The investigation also uncovered phishing websites hosted directly on AI coding platform domains. These fake pages impersonated major companies including Bank of America, Costco, FedEx, Trader Joe’s, and McDonald’s. The platforms disputed parts of the findings while acknowledging that publicly accessible apps existed. Amjad Masad said users choose whether apps remain public or private. Lovable emphasized that creators are responsible for configuring security correctly, while Wix stated weakening protections requires deliberate user actions. 

Security experts argue the broader issue remains serious because AI coding tools rarely enforce strong safeguards automatically. Many employees using them lack training in authentication systems or permission controls, allowing insecure deployments to slip through unnoticed. Researchers say the situation resembles earlier waves of exposed Amazon S3 cloud storage buckets, where confusing defaults and user mistakes left sensitive files publicly accessible. 

AI-powered coding platforms may now be accelerating similar risks on a larger scale as businesses increasingly rely on AI tools for internal dashboards, marketing systems, client portals, and reporting applications. Experts also warn the true scale may be far larger. The 5,000 discovered apps only included projects hosted directly on AI platform domains. Thousands more could exist on privately owned domains that standard searches cannot easily detect. 

As AI-generated development grows rapidly, companies are now under pressure to strengthen oversight, improve employee training, and introduce stricter security reviews. Without stronger safeguards, fast AI-assisted app creation could continue exposing confidential corporate and personal information online.
Read more »
User Privacy
Android Trojan Data Harvesting Data Leak malware User Privacy

Millions of Devices at Risk: New Trojan Monitors Smartphones

 

A menacing new Trojan has emerged that puts millions of smartphone devices worldwide at risk, according to recent cybersecurity reports. This sophisticated malware specifically targets Android devices and has already infected thousands of users across 143 countries. The Trojan's ability to monitor smartphones in real-time represents a significant evolution in mobile cyberthreats, with security researchers warning that the actual infection count could be far higher than currently detected.

The malware spreads primarily through seemingly legitimate websites that trick users into downloading malicious applications. Once installed, the Trojan grants hackers complete remote control over compromised devices, enabling live monitoring of user activities. Security firm Zimperium zLabs identified similar dangerous Trojans like Arsink, which impersonates popular brands including WhatsApp and TikTok to evade detection. The infected devices can have their audio recorded, text messages read, and even be wiped completely by attackers. 

This Trojan's most alarming capability is its live monitoring feature combined with coordinated attack systems. Beyond stealing credentials, the malware transmits live screen content to remote servers, creating a continuous visual feed that allows attackers to observe activity and intercept authentication steps in real time. Encrypted communication channels connect infected devices to centralized command systems that coordinate attacks and distribute updated instructions, managing thousands of compromised devices simultaneously. The infection has created a massive footprint, with Egypt reporting around 13,000 compromised phones, Indonesia approximately 7,000, and Iraq and Yemen each with 3,000 infections. 

The Trojan harvests an extensive range of sensitive data including SMS messages, call logs, contacts, device location, and Google account information. It can steal user accounts in messengers and social networks, stealthily send messages on behalf of victims, monitor browser activities, replace links, swap numbers during calls, and intercept SMS messages. Previous similar malware campaigns have already stolen at least $270,000 worth of cryptocurrency, suggesting the financial damage from this new Trojan could be substantial. 

Experts recommend several critical protection measures to safeguard against this threat. Users should only download applications from official app stores like Google Play, avoid clicking links from suspicious websites, and keep their Android operating system updated with the latest security patches. Google has warned that over 40% of Android devices remain vulnerable because they run outdated versions without security support. If your smartphone brand no longer provides security updates, experts strongly recommend considering a new device to protect your personal data.
Read more »
WhatsApp
Bugs Cloud Data Meta Technology WhatsApp

WhatsApp Fixed Two Security Bugs via It's Bug Bounty Program

WhatsApp Fixed Two Security Bugs via It's Bug Bounty Program

Meta recently released a security advisory in May revealing two bugs in WhatsApp were found through its bug bounty program. But these bugs were patched and were not exploited in the wild by the threat actors. Both bugs are now patched.

About two bugs

The first bug is tracked as CVE-2026-23863, a Windows specific problem. This bug was maliciously crafted with hidden “NUL BYTES” hidden within the filename, to trick WhatsApp into showing it as one filetype such as an authorized PDF while pretending to be running as an executable once opened. Meta fixed this patch in April on both platforms.

The second vulnerability, tracked as CVE-2026-23866 impacted both android and iOS users. The attack tactic involved partial authorization of AI rich response texts for Instagram Reels shared within Whatsapp. A threat actor could possible launch another user’s device to access media content through an arbitrary URL, such as launching OS level custom URL scheme handles. This flaw was patched in April on both platforms.

Severity

The two bugs were given medium severity by researchers. WhatsApp has verified that no bug was abused.

Both were rated medium severity, and WhatsApp confirmed there's no evidence either was actually abused.

The impact

These kind of reporting get sidelined by glossy and infamous threat. For instance the recent SMS pumpoing attacks increasing phone bills, or phishing campaigns that used messaging apps as entry points, and lastly the attack on educational institutes that compromised Canvas and Instructure, leaking hundreds of GBs of data.

But Whatsapp did a good job in finding and fixing the flaw before cybercriminals could exploit them and cause harm. The bug bounty program of WhatsApp has been going on for fifteen yesr, and the recent patches show it it is still reliable.

What should users do?

Simple advice: always keep your phones and app updated. 

There has never been a better moment to use secure communications services like WhatsApp or Signal. The truth is that Meta does a great job of keeping the app and its users safe and secure, despite some security concerns of its own, such as the recently reported phishing attempts using the encrypted messenger as part of the exploit chain and a spyware threat targeting iOS users.

Read more »
NSW Police cryptocurrency raid
Australia Bitcoin seizure Bitcoin money Cyber Attacks darknet marketplace crackdown NSW Police cryptocurrency raid

Australia Seizes $4.2 Million in Bitcoin in Major Darknet Crackdown

 

Authorities in the Australian state of New South Wales (NSW) have confiscated 52.3 Bitcoin, valued at more than $4.2 million, following search warrants carried out in Ingleburn on May 4. The seizure is being described as one of the country’s most significant cryptocurrency confiscations to date.

The operation was part of Strike Force Andalusia, an investigation launched in September 2024 after the NSW Police Cybercrime Squad identified a cryptocurrency wallet allegedly linked to proceeds generated through darknet marketplace activities.

As part of the wider probe, investigators had previously searched a residence in Surfside, where they recovered electronic devices and approximately 7.2 grams of cocaine. A forensic review of the seized devices later revealed further cryptocurrency assets connected to the investigation.

Police allege that a 39-year-old man from Ingleburn refused to provide investigators with access to his digital devices at the time of his arrest. He now faces additional charges alongside allegations related to money laundering and drug supply.

Detective Superintendent Matt Craft, commander of the NSW State Crime Command’s Cybercrime Squad, said the case highlights the growing capabilities of law enforcement agencies in tracking illegal cryptocurrency activity.

"Criminals operating on the darknet often believe they are beyond the reach of law enforcement, but this investigation shows that is simply not the case," Craft said. "Darknet marketplaces remain a key enabler of serious criminal activity, and our detectives are actively targeting those who use them to trade illicit goods or launder money."

Australian authorities have stepped up efforts to tackle cryptocurrency-related crimes as digital assets increasingly feature in organized criminal operations. The latest seizure reflects the expanding expertise of both NSW cybercrime investigators and the Australian Federal Police in tracing blockchain transactions and recovering illicit funds.

Recent investigations across Australia have also demonstrated that cryptocurrency transactions on darknet platforms are far less anonymous than many offenders assume, with several cases leading to multimillion-dollar digital asset seizures
Read more »
Technology
Bitcoin Security Blockchain Security Cryptographic Risk Digital Asset Security ECDSA Vulnerability Post Quantum Cryptography Quantum Computing Quantum Threat Technology

Quantum Technology Emerges as a Potential Threat to Bitcoin Networks


 

Bitcoin's security architecture has been based on a foundational assumption that modern cryptographic protections will remain computationally impractical to violate at scale for more than a decade. 

Now, with quantum computing transitioning from theoretical research into an emerging engineering reality capable of challenging the mathematical foundations behind digital signatures and blockchain authentication, this assumption is coming under renewed scrutiny. 

With the development of quantum technologies, security researchers and blockchain developers are increasingly evaluating the potential exposure of private keys, compromise of wallet integrity, and weakening of transaction trust in decentralised ecosystems as quantum capabilities continue to mature. 

While the discussion extends beyond the quantum threat itself, it emphasises the enduring importance of private key protection and the operational limitations of hardware wallets, where computational efficiency, power constraints, and algorithm compatibility are critical factors determining the viability of next-generation cryptographic defences. It is against this backdrop that a proposal from Avihu Levy has been widely discussed in regard to Bitcoin's post-quantum transition strategy. 

Quantum Safe Bitcoin (QSB) is a transaction model proposed by Levy that is designed to preserve cryptographic security even in the presence of an advanced quantum system capable of executing Shor's algorithm against conventional public-key cryptography. There is particular interest in the proposal within the Bitcoin ecosystem because it does not require consensus-level changes to the Bitcoin protocol itself, thus avoiding the difficult and political process typically associated with network upgrades.

Due to its ability to layer quantum-resistant protections onto existing infrastructure rather than replacing the protocol foundation entirely, the architecture has been widely regarded as an elegant piece of engineering. The emergence of this technology coincides with a general acceleration in industry readiness for post-quantum risks, as governments, semiconductor firms, and major cloud providers intensify migration planning around potential cryptographic risks in the near future. 

While QSB has gained significant popularity, security researchers note that the proposal addresses a much narrower segment of the quantum problem than public discussion sometimes implies. In light of the broader operational challenges associated with exposing private keys, implementing wallets, and ensuring long-term cryptographic survival across decentralised networks, this proposal offers a broad perspective on the quantum problem. 

Quantum computing is of concern to a larger audience because it could undermine public-key cryptography, which encrypts blockchain ecosystems with public keys, particularly signature schemes like ECDSA, which is used across Bitcoin and Ethereum networks. Using publicly exposed wallet data, an advanced quantum system could theoretically be able to derive private keys, enabling forged transactions and unauthorised transfers of funds. 

While researchers generally agree that quantum hardware is not yet capable of executing such attacks at scale, the debate has intensified due to the inherent slowness and operational sensitivity of blockchain migrations across decentralised communities, and the difficulty in coordinating across them. Bitcoin is often viewed as particularly vulnerable in this context due to its conservative governance structure and historically cautious approach towards protocol-level changes. 

There is current evidence that approximately 6.5 to 6.9 million bitcoins are at risk of quantum exposure due to their public keys being visible on the blockchain, which represents approximately one-third of the total circulating supply of bitcoins. This includes older pay-to-public-key (P2PK) addresses that were widely used during Bitcoin's early years, and are believed to be linked to Satoshi Nakamoto's dormant wallets. 

Blockchain records directly contain the public key of legacy address formats, allowing for the reconstruction of the private key by a future quantum computer using Shor's algorithm, thereby obtaining the funds. As a result of the newer pay-to-public-key-hash (P2PKH) structures, public keys are concealed behind cryptographic hashes until a transaction is initiated, reducing the exposure of public keys. 

Once funds are spent from a P2PKH wallet, the public key becomes permanently visible on the blockchain, creating a long-term attack surface if the address is reused in the future. Researchers are also warning against utilising "harvest now, decrypt later" strategies, which involve adversaries collecting encrypted blockchains and transaction data in advance of quantum capabilities. 

The implementation of cryptographic upgrades more rapidly may be possible on proof-of-stake networks such as Ethereum, although experts caution that if defensive migration timelines fail to keep pace with computational advances, validator infrastructure and signature keys could eventually face quantum-era risk. After Google researchers released updated projections in March that indicated that it could take nearly twenty times fewer physical qubits to compromise Bitcoin's elliptic curve cryptography than estimates prepared a year earlier, concerns regarding the timeline of quantum risk intensified further. 

Despite the fact that practical quantum attacks against Bitcoin are currently outside of operational capability, the revised calculations confirm an industry understanding that the threat is gradually moving from theoretical modelling to engineering inevitability in the long term. As a result, Bitcoin is challenged by an inseparability between the technical challenge and governance. 

A consensus has not been reached on how vulnerable dormant wallets should be handled if quantum-capable systems eventually emerge. The failure to freeze or invalidate those holdings would introduce direct intervention into property ownership within a system designed specifically to resist central control, effectively creating a future race for quantum-enabled theft. There are also equally controversial implications associated with burning inaccessible balances, which force the network to make unprecedented decisions regarding asset legitimacy and protocol authority. 

In spite of all proposed mitigation strategies, the issue of who has the authority to make such decisions for a decentralised monetary system remains fundamentally unresolved. Although Bitcoin Core developers are permitted to propose code changes, they are not allowed to unilaterally modify ownership records or dormant balances without coordinated consent from miners, exchanges, custodians, node operators, and other stakeholders. 

The governance tension represents an aspect of the quantum problem that can not be fully addressed through cryptography alone in proposals such as Quantum Safe Bitcoin. In decentralised infrastructure, the underlying assumption for many years has been that any architectural limitations can eventually be resolved through upgrades and coordination with enough time and consensus. 

Quantum computing is now testing that assumption under an externally imposed technological timeframe driven not by community preference, but by advancements in physics, semiconductor engineering, and computational science. The process of transitioning Bitcoin toward post-quantum resilience will probably take time, money, and political compromise if it is to be successful. 

The network may face the fact that, if coordination fails to keep pace with technological advancement, foundational cryptographic choices made during Bitcoin's earliest design phase will not always remain secure in light of evolving computational power indefinitely. Quantum Safe Bitcoin has received a great deal of attention, but researchers emphasise that it focuses on only one layer of a much wider structural problem. 

By successfully introducing transaction-level quantum resistance, QSB provides a practical defensive mechanism for protecting active holdings against future cryptographic threats by reducing computational overhead. There is much more to the issue than just protecting individual wallets. The central challenge for Bitcoin is determining whether a decentralised network without a governing authority will be able to realistically move hundreds of millions of addresses toward a new cryptographic standard prior to quantum technologies becoming available. 

When considering the dormant wallets and inaccessible coins that cannot voluntarily participate in such a transition, the problem becomes even more complex. In order to execute an extensive migration strategy, developers, miners, exchanges, custodians, infrastructure operators, and long-term holders will need to work together as a consensus-driven governance group with incentives that may not fully align. 

While quantum computing advances are achieved through concentrated research and technological breakthroughs, decentralised coordination is generally characterised by a slow and sometimes prolonged period of ideological disagreement.

Many analysts believe this is the real test for Bitcoin in the quantum era, not in the design of stronger cryptography, but in the ability of a globally distributed financial system to collectively adjust to external technological pressures without compromising its principle of decentralisation. Bitcoin's cryptography is no longer the single focus of the quantum debate, however. Instead, the question is whether decentralised systems are capable of coordinating fast enough to survive the technological transition they cannot control. 

Post-quantum research is accelerating across the government and private sectors, resulting in unprecedented scrutiny of long-term security assumptions, dormant asset exposure, and governance resilience within the cryptocurrency industry. 

As a result of this challenge, Bitcoin's cryptographic architecture may ultimately be examined in terms of its durability, as well as its practical limits under real-world computational pressures related to decentralised consensus.
Read more »
Technology
AI Anthropic AI Claude coding assistants Malicious Activities Technology

Researchers Find Security Gap in Anthropic Skill Scanners




Security researchers have uncovered a gap in the way Anthropic Skill scanning tools inspect third-party AI packages, allowing malicious code hidden inside test files to execute on developer systems even after scanners marked the Skills as safe.

The issue centers on Anthropic Skills, reusable packages designed for AI coding assistants such as Claude Code, Cursor, and Windsurf. These packages often include instructions, scripts, and configuration files that help AI agents perform development tasks inside IDE environments.

Researchers from Gecko Security found that existing Skill scanners focus primarily on files tied directly to agent behavior, particularly SKILL.md, while ignoring bundled test files that can still run locally through standard developer tooling.

In the demonstrated attack chain, a Skill passed all scanner checks because its visible instruction files contained no prompt injection attempts, suspicious shell commands, or malicious instructions. However, the repository also included a hidden .test.ts file stored elsewhere in the directory structure. Although the file was outside the agent execution layer, it still executed through the project’s testing framework with full access to local resources.

According to researcher Jeevan Jutla, the problem begins when developers install a Skill using the npx skills add command. The installer copies nearly the entire repository into the project’s .agents/skills/ directory. Only a few items, including .git, metadata.json, and files prefixed with underscores, are excluded during installation.

Once placed inside the repository, testing frameworks such as Jest and Vitest automatically discover matching test files through recursive glob patterns. Both frameworks reportedly enable the dot:true option, allowing them to search inside hidden directories including .agents/. Mocha follows similar recursive discovery behavior in many default configurations.

A malicious Skill can therefore include a file such as reviewer.test.ts containing a beforeAll function that silently executes before visible tests begin. Researchers said these payloads can access environment variables, .env files, SSH keys, AWS credentials, deployment tokens, and other sensitive information commonly available inside local developer environments and CI pipelines. The data can then be transmitted to external servers without triggering obvious warnings during test execution.

The researchers stressed that the AI agent itself is never involved in the compromise. Instead, the malicious behavior occurs through trusted developer tooling already integrated into the software workflow. Existing scanners inspect the files the AI agent can interpret, but not the files executed separately by testing infrastructure.

The technique resembles older software supply-chain attacks involving malicious npm postinstall scripts and poisoned pytest plugins. However, Gecko Security noted that the Anthropic Skill ecosystem creates an additional propagation problem because installed Skills are often committed into shared repositories so teams can reuse them collaboratively.

GitHub’s default .gitignore templates do not automatically exclude .agents/ directories. Once a malicious test file enters the repository, every teammate cloning the project and every CI pipeline running automated tests may execute the payload across branches, forks, and deployment workflows.

The findings arrived shortly after multiple large-scale security audits examining the broader Anthropic Skills ecosystem. A January academic study named SkillScan analyzed 31,132 Skills collected from two major marketplaces and found that 26.1% contained at least one vulnerability spanning 14 separate patterns. Data exfiltration appeared in 13.3% of examined Skills, while privilege escalation appeared in 11.8%. Researchers also determined that Skills bundling executable scripts were 2.12 times more likely to contain vulnerabilities than instruction-only packages.

Several weeks later, Snyk published its ToxicSkills audit covering 3,984 Skills from ClawHub and skills.sh. The company reported that 13.4% of scanned Skills contained at least one critical-level security issue. Automated analysis combined with human review identified 76 confirmed malicious payloads, while eight malicious Skills reportedly remained publicly accessible on ClawHub when the findings were released.

In April, Cisco introduced an AI Agent Security Scanner integrated into IDE platforms including VS Code, Cursor, and Windsurf. The scanner can detect prompt injection attempts, suspicious shell execution patterns, and data exfiltration behaviors within Skill definitions and agent-referenced scripts. However, Gecko Security said bundled test files remain outside the scanner’s documented detection surface because the tool was designed around agent interaction layers rather than developer execution layers.

Researchers noted that other products, including Snyk Agent Scan and VirusTotal Code Insight, face similar structural limitations. These tools inspect what the agent is instructed to execute but may overlook code paths triggered separately through local development frameworks.

Elia Zaitsev described the broader issue as a distinction between interpreting intent and monitoring actual execution behavior. In this case, the malicious code did not depend on prompt manipulation or AI instructions. It operated as ordinary TypeScript executed through legitimate test runners with full local permissions.

Zaitsev also warned that enterprise AI agents increasingly operate with privileged access to OAuth tokens, API keys, and centralized data sources. If those credentials are accessible through environment variables during automated testing, malicious test payloads can reach sensitive infrastructure without requiring direct agent compromise.

Mike Riemer added that threat actors frequently reverse engineer security patches within 72 hours of release, while many organizations take far longer to deploy fixes. In the case of the Anthropic Skill test-file issue, researchers warned that the exposure window becomes more difficult to manage because the malicious files may execute immediately after installation without triggering scanner alerts.

Security researchers are urging development teams to block test discovery inside .agents/ directories and inspect Skill repositories for files such as *.test.*, *.spec.*, conftest.py, __tests__/, and suspicious configuration scripts before merging code.

The report also recommends pinning Skill installations to verified commit hashes rather than installing the latest repository version. Researchers said this reduces the risk of attackers submitting clean repositories for scanner approval before later inserting malicious files. The approach aligns with guidance published in the OWASP Agentic Skills Top 10 project.

Organizations that already store Skills inside repositories are advised to audit existing .agents/ directories immediately, rotate exposed credentials if suspicious files are discovered, inspect CI logs for unexplained outbound network traffic, and review repository history to identify when potentially malicious files entered development pipelines.

The researchers additionally called on security vendors to provide greater transparency regarding which directories, execution surfaces, and file categories their scanners actually inspect. They argued that security teams evaluating Anthropic Skill scanners should verify whether products analyze bundled test files, build scripts, and CI configurations rather than focusing exclusively on prompt injection and agent instruction analysis.

Read more »
Microsoft security
Credential Security Cyber Phishing Cyber Security Data protection data security Microsoft Microsoft security

Microsoft Warns Users About Rising QR Code Phishing and Quishing Scams

 

Microsoft’s cybersecurity researchers have uncovered a growing wave of phishing scams using QR codes hidden inside emails, PDF files, and fake CAPTCHA pages. Instead of clicking suspicious links, victims scan QR codes that secretly redirect them to fraudulent websites designed to steal login credentials and session data. The attacks spread quickly because they bypass many traditional security filters and often appear harmless at first glance. 

Known as “quishing,” these scams hide malicious links inside QR codes, avoiding the usual warning signs tied to suspicious URLs. Emails often create urgency through fake compliance notices, security alerts, or missed-message warnings, encouraging users to scan the code without carefully checking the sender. According to Microsoft, attackers are impersonating HR teams, IT departments, managers, and office administrators to make messages appear legitimate. 

Once scanned, users are routed through several webpages before landing on counterfeit login portals built to capture usernames, passwords, and even live session tokens capable of bypassing some two-factor authentication protections. Researchers say more than 35,000 users across approximately 13,000 organizations worldwide have already been targeted, with cases continuing to rise. Many people trust QR codes because they are commonly used for menus, payments, and sign-ins, making them less likely to question the risks behind scanning one. 
Cybercriminals are exploiting that familiarity to trick users into exposing sensitive information. A recent case highlighted by Digit.in demonstrated how convincing these scams can be. Employees reportedly received emails appearing to come from an Office 365 administrator claiming several messages were awaiting approval. Instead of links, the email included a QR code directing users elsewhere. Investigators tested the QR code using a freshly wiped mobile device across Android and iOS platforms to minimize potential risks. 

While the QR codes in that case did not install malware or alter device settings, the test showed how easily similar scams could deceive unsuspecting users. Security professionals warn that scanning unfamiliar QR codes on devices containing banking apps, work credentials, personal photos, or confidential files can expose users to serious threats without obvious warning signs. Experts recommend avoiding QR codes sent through unsolicited emails, verifying senders carefully, and checking linked addresses before entering passwords. 

As cybercriminals increasingly rely on social engineering instead of direct hacking, simple actions like scanning a QR code are becoming new entry points for digital attacks.
Read more »
Threat Investigation
AI SOC Alert Overload Cyber Security SOC Security Threat Investigation

SOC Alert Overload: Why More Analysts Won’t Help

 

Security operations centers are facing a problem that hiring alone cannot solve. Alert volumes keep rising, attackers move faster than most human teams can investigate, and many SOCs still rely on workflows built for a much smaller stream of events. The result is a widening gap between the alerts generated by modern systems and the number that can be analyzed with real depth. 

Even when organizations add analysts, the queue often remains crowded because the underlying process still depends on manual triage. That is why security experts argue the issue is not a staffing shortage alone, but an operating-model failure that leaves teams reacting instead of defending. 

Most SOCs have already tried the obvious fixes. They prioritize critical alerts, suppress noisy detections, and tune rules to reduce false positives. Those steps help, but they do not remove the central bottleneck: too many alerts still reach humans for investigation. The article explains that low- and medium-severity events are especially dangerous because attackers often hide inside them, knowing analysts are overwhelmed. When those signals sit in a backlog, the delay becomes a security weakness in itself. 

To test whether a SOC is truly under strain, security experts suggest a quick diagnostic. Leaders should ask how many high-priority alerts were actually investigated, how often detection rules were suppressed without replacement coverage, whether analyst turnover has created a fragile bench, and what task would be sacrificed if alert volume doubled overnight. If the answers reveal gaps, the problem is not effort or discipline. It is capacity, continuity, and architecture. 

The proposed answer is not to push analysts harder, but to change how investigations are handled. AI-based SOC platforms can triage alerts at scale, document reasoning, and free analysts from repetitive work. In the examples cited, teams completed thousands of investigations quickly and recovered large amounts of analyst time. That shift also allowed some organizations to reduce SIEM-related spending by cutting unnecessary ingest and storage. Humans still matter, but their role changes: they focus on insider threats, novel attack patterns, and cases that require business or regulatory judgment. 

The broader lesson is simple. Modern SOCs need a model that matches today’s attack speed and alert volume. If the queue is always full, more people will only slow the pain, not remove it. The stronger answer is to redesign the workflow so that technology handles scale and analysts handle judgment, because that is where security value actually comes from.
Read more »
Password theft
2FA Credential Theft Data Breach MaaS Password theft

What Really Happens After Your Password Gets Stolen? Researchers Trace the Cybercrime Pipeline

 



Password theft operations continue to expand despite growing public awareness campaigns around online security. Infostealer malware remains active, compromised accounts continue circulating across underground marketplaces, and stolen credentials are still being used for financial fraud, ransomware attacks, and unauthorized access to online services.

New research published by Comparitech examined how stolen passwords move through cybercriminal networks after they are first compromised. The study analyzed more than 447,000 credential leaks, breach threads, and password dumps posted across four major cybercrime forums. Altogether, the dataset contained roughly 1.1 million compromised user records collected between 2013 and 2026.

The report focused on understanding where leaked passwords ultimately end up and how attackers process them before they are used in large-scale attacks.

For many users, discovering that a password has been exposed can create immediate panic, particularly because credential theft incidents have increased sharply in recent years. Previous security reporting found that nearly 2.8 billion credentials were exposed during 2025 alone. Researchers have also raised concerns about browser-stored passwords after reports that credentials saved in browsers may sometimes become accessible in plaintext form within system memory. At the same time, stolen credentials are increasingly being used to abuse retail, cloud, and subscription-based services.

According to Comparitech researcher Paul Bischoff, analysts including Mantas Sasnauskas reviewed databases from four cybercrime forums to understand how stolen passwords are accessed, redistributed, combined, and eventually weaponized in credential-stuffing campaigns, ransomware intrusions, business email compromise incidents, and account takeover attacks.

The researchers outlined a five-stage credential supply chain. The first stage, known as “origin,” refers to how passwords are initially stolen before appearing on underground forums. The report identified infostealer malware and data breaches as the two most common starting points.

Infostealer malware is designed to silently collect sensitive information from infected devices. This can include browser-saved passwords, authentication cookies, autofill data, cryptocurrency wallet information, and session tokens that attackers can later exploit to bypass login protections.

The final stage of the supply chain involves the eventual use of stolen credentials in attacks such as ransomware deployment, unauthorized account access, and corporate breaches. However, the researchers said the middle stages of the ecosystem reveal the most about how the underground password economy functions.

The wholesale stage represents the broker market for stolen access. In this phase, attackers sell compromised credentials directly to other criminals. The report pointed to the Russian-language cybercrime forum RAMP, where pre-authenticated access to corporate systems was allegedly being offered for sale using stolen login credentials. This type of access is especially valuable because it can provide immediate entry into business networks.

The next stage, trade, involves credentials being reposted, exchanged, resold, or distributed across multiple hacker forums. Some datasets are uploaded for free to build credibility inside underground communities, while others are placed behind paid marketplaces where buyers can purchase access to larger credential collections.

The aggregation stage centers around the creation of “combolists,” which are massive databases containing usernames and passwords collected from multiple breaches. The most valuable combolists are typically cleaned and deduplicated to remove repeated records and improve their effectiveness.

Attackers frequently use these combolists in credential-stuffing operations, where automated tools test stolen username-and-password combinations across many different websites. Because many users reuse passwords across platforms, one compromised credential can sometimes unlock email accounts, banking services, shopping platforms, or workplace systems tied to the same login information.

Researchers and cybersecurity analysts have repeatedly warned that the underground market for stolen credentials continues growing alongside the rise of malware-as-a-service operations and initial access brokers. In recent years, infostealer logs containing browser credentials and authentication cookies have become widely traded across dark web forums and encrypted messaging platforms.

The report also examined how users can reduce the risk of credential theft. Security professionals continue encouraging users to adopt passkeys whenever possible because passwordless authentication systems are significantly harder to steal and reuse in automated attacks.

Experts additionally recommend avoiding password reuse across websites and services, since a single breach can otherwise expose multiple accounts at once. Password managers can help users generate and store unique credentials securely, while two-factor authentication adds another layer of verification that can block unauthorized logins even if a password becomes compromised.

As cybercrime groups continue refining credential theft operations, researchers believe password-based security systems may gradually become less reliable for protecting online accounts in the long term.

Read more »
Hacking Group
Canada Cyber Attacks Cyber Breach Digital Security Challenges education sector Education Sector Cybersecurity Hacker attack Hacking Group

ShinyHunters Cyberattack Disrupts Canvas Platform Across Universities and Schools

 

This week, a significant digital breach affected educational institutions throughout the United States, Canada, and Australia. The incident followed claims by the hacking collective ShinyHunters. Their target: Canvas, a commonly adopted online learning system. Despite its widespread use, the platform proved vulnerable. 

Though details remain partial, reports confirm active exploitation of security gaps. While some schools shifted to offline methods, others delayed classes. Because of the reach of the network, effects spread quickly. Since access was blocked at peak hours, confusion grew early. Not every region reported identical issues - some experienced minor delays instead. Even so, trust in ed-tech infrastructure has taken a hit. 

As investigations continue, officials are reviewing how data was exposed. Midway through the year’s final academic stretch, a cyberattack triggered broad system failures across roughly 9,000 schools globally. Coursework uploads faltered, exam access vanished, lectures disappeared, grading stalled - student work ground to a halt. Though Instructure owns the platform, control slipped when services went down; officials acknowledged the breach soon after. 

Recovery came slowly - Canvas returned for many, yet pockets of disruption lingered on campuses far apart. Midway through tests, alerts flashed unexpectedly - spreading uncertainty among test takers and instructors at multiple campuses. Because of the interference, assessments set for Friday at Mississippi State University got delayed without prior notice. Screens displayed warnings stating “ShinyHunters has breached Instructure (again),” followed by demands for cryptocurrency transfers to prevent data leaks. 

Some learners recalled frozen systems right when submitting answers. Though officials confirmed the incident, details remained limited throughout the afternoon. By evening, investigations had begun while backups were reviewed quietly behind closed doors. After finishing their long exam essays, one student - Aubrey Palmer - noticed the ransom note pop up. When doubts emerged about whether files were actually saved, stress began spreading through the group. 

Some felt upset right away, others grew uneasy only later. Midterms approached fast when campuses started alerting students about sudden changes. Following technical issues, Sydney advised against accessing Canvas until further details arrived from Instructure. With finals looming, the timing of the outage posed serious challenges. Though routine disruptions happen now and then, this one struck during peak assessment periods.  

Among those impacted were Penn State University, Idaho State University, the University of British Columbia, the University of Toronto, UCLA, and the University of Chicago. With IT departments reviewing how far the breach reached, some campuses postponed exams - others called them off entirely. Later on campus, Jacques Abou-Rizk noticed something off after opening an email link - he saw a message that seemed tied to a demand for payment. 

Though the note mimicked one from school staff, officials clarified they were already tracking the event. Despite initial concerns, leaders emphasized no additional platforms showed signs of intrusion. Cybersecurity analysts pointed to screenshots suggesting the attacks might have started several days before the public alerts, as seen in timed demands delivered to targeted organizations. 

While ransom discussions could still be happening behind the scenes, the hacker collective hasn’t revealed its next steps regarding the data it claims to possess. Besides earlier cases, another breach now ties back to ShinyHunters - a group already connected to several prominent corporate intrusions. While details differ, patterns point to similar tactics used before across large-scale data compromises. 

Surprisingly, the widespread outage sparked fresh worries over how ready schools really are when it comes to digital safety. At nearly the same time, officials like Senator Chuck Schumer began pushing for tougher nationwide protection - especially since artificial intelligence-driven attacks and online ransom schemes keep growing across countries.
Read more »
Data Leak
AI Bug Management Cloud Cyber Security Data Data Leak

9-Year-Old Linux bug Found by Researchers, Could Leak Data


Experts have revealed details of a bug in the Linux kernel that stayed unnoticed for nine years. The flaw is tracked as CVE-2026-46333 (CVSS score: 5.5). 

Improper bug management 

The incident is improper privilege management that could have allowed threat actors to reveal sensitive data as unprivileged local users and launch arbitrary commands on default installs such as Ubuntu, Debian, and Fedora. Its alias is aka ssh-keysign-pwn.

Vulnerability existed since 2016

Cybersecurity firm Qualys found the flaw. Since November 2016, the problem has been present in mainstream Linux (v4.10-rc1). 

Distribution updates and upstream patches are already accessible. There are publicly available working exploits, thus administrators should install vendor kernel upgrades right away, Qualys said.

Privilege compromise tactic

TRU discovered a small window in which a privileged process that is dropping its credentials can still be accessed through ptrace-family operations, despite the fact that its dumpable flag should have blocked that path, during ongoing study into Linux kernel privilege boundaries.  

Qualys also added that an attacker can obtain open file descriptors and authenticated inter-process channels from a dying privileged process and utilize them under their own uid by combining this window with the pidfd_getfd() syscall (introduced in v5.6-rc1, January 2020)

What is successful exploit?

Successful bug exploit can allow a local threat actor to reveal /etc/shadow and ho'st private keys under /etc/ssh/*_key, and deploy arbitrary commands as root via four distinct hacks attacking ssh-keysign, accounts-daemon, chage, and pkexec.

PoC exploit

The bug reveal is a proof-of-concept (PoC) exploit for the bug. It was released recently, and soon after, a public kernel surfaced. CVE-2026-46333 is the latest security bug revealed in Linux after Dirty Frag, Fragnesia, and Copy Fail in recent months.

How to stay safe

Experts have advised to use the latest kernel update released by Linux distributions. If users are unable to do it immediately, temporary patchwork includes raising "kernel.yama.ptrace_scope" to 2.
Qualys added, "On hosts that have allowed untrusted local users during the exposure window, treat SSH host keys and locally cached credentials as potentially disclosed. Rotate host keys and review any administrative material that lived in the memory of set-uid processes,” Qualys said.

Incident impact

The incident happened after the release of a PoC for a local privilege exploit known as PinTheft that lets local hackers get access to root privileges on Arch Linux systems. The hack requires the Reliable Datagram Sockets (RDS) module to be deployed on the victim system, readable SUID-root-binary, io_ring enabling, and x86_64 support for the given payload.

Read more »
Instructure
AI Canvas Cloud Data Breach Data Leak data security Instructure

Data Leak: Instructure, Canvas Allegedly Hacked, ShinyHunters Claim Responsibility


Instructure, a cloud-based LMS Canvas company was hit by a massive data attack. Ransomware gang ShinyHunters claimed responsibility for the attack, saying that it had stolen data related to 280 million students, teachers, and school staff.

100s of GBs data leaked

The data breach accounts for hundreds of gigabytes, possibly leaking Canvas users’ email ids, private messages, and names. 

Instructure revealed in May that it was hit by a data breach. The Canvas incidents of 8,809 universities, educational platforms, schools were impacted by the attack. ShinyHunters said that the numbers range between tens of thousands to several millions per institution.

It is concerning that a lot of K-12 students’ data has been leaked. If your child has been affected by the data breach, Malware Bytes can help in what to do next and how to stay safe.

Canvas compromised

Various students who tried using Canvas after the cyberattack received the message from ShinyHunters blackmailing to leak the data if Instructure did not contact the hackers by May 12. Canvas was shut down offline for various students following the incident, but it is now available for most users. 

GTA 6, Studio Rockstar were blackmailed too

ShinyHunters has been killing it this year, with only high profile targets in its track records. The group asked for a ransom from GTA 6 (a video game) Studio Rockstar in April. But in reality, it was a hoax demand as the hackers did not have anything important/worthy to leak. 

Nvidea Geforce allegedly hacked

But recently, the group allegedly claimed responsibility for the Nvidea’s GeForce Now breach, claiming to have “pulled their entire database straight from the backend."

Shiny hunters all over the place

In the Canvas incident, ShinyHunters allegedly stole user records through exposrting features inside the platform. This consists of DAP queries, APIs, and provisioning reports, according to Bleeping Computers. “The unauthorized actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts,” Instructure said. 

It also added that it “revoked privileged credentials and access tokens, deployed platform-wide protections, rotated certain internal keys, restricted token creation pathways, and added monitoring across our platforms." 

The impact

Instructure also “engaged a third-party forensic firm and notified law enforcement. Beyond the immediate response, we're hardening administrative access, token management, permissions, monitoring, and related workflows. The investigation may inform further improvements.”

However, it might be too little, too late—parents are unlikely to overlook the possibility of disclosing their children's information. The much bigger problem, though, is the disastrous harm ShinyHunters has caused to Canvas's operations and reputation, as malware historian vx-underground stated on X.

Read more »
wearable technology
CISPA research Daniel Gerhardt smartwatch security Technology wearable privacy risks wearable technology

Smart Wearables Could Become a Serious Security Threat, Researchers Warn

 

Smartwatches and other wearable gadgets are designed to make life easier by tracking everything from heart rate to sleep cycles. However, a new study by researchers at CISPA highlights the growing dangers linked to these devices if they fall into the wrong hands.

The research, conducted by doctoral researcher Daniel Gerhardt, examines the privacy and security challenges associated with on-body interaction technologies such as smartwatches, smart glasses, and connected clothing. The findings suggest that the risks extend far beyond simple data leaks.

Unlike smartphones or laptops, wearable devices remain in direct contact with the human body and continuously collect sensitive personal information. This close integration raises concerns about both digital and physical safety.

One of the most concerning revelations from the study involves the possibility of physical harm through hacked wearables. For instance, a smart jacket equipped with heating technology could potentially be manipulated to cause burns. Researchers also pointed out the possibility of cybercriminals using wearable devices for extortion. One expert involved in the study referred to this threat as “ransomware for the body.”

The report further highlights psychological risks tied to immersive wearable systems. Manipulative technologies could allegedly be used to create stress or pressure users into uncomfortable situations. Additionally, wearable devices may collect information about nearby individuals without their consent, creating privacy concerns not only for users but also for bystanders.

To address these issues, Gerhardt proposed eight design recommendations aimed at improving wearable safety. The guidelines encourage developers and technology companies to reduce unnecessary data collection, improve transparency, and strengthen both hardware and software security measures.

The study was presented at the ACM CHI Conference on Human Factors in Computing Systems, a globally recognised event focused on advancements in human-computer interaction research.

As wearable technology continues to evolve and become more integrated into daily life, researchers stress that improving safety and security standards now could help prevent major risks in the future.
Read more »
SEO Manipulation
Algorithmic Enforcement Digital Markets Act EU Antitrust Probe Google Search Rules Google Spam Policy Parasite SEO Publisher Visibility Search Ranking Abuse SEO Manipulation

Google Navigates EU Regulatory Pressure With Search Policy Shift


 

A growing regulatory backlash against search ranking practices has forced Alphabet's Google to reevaluate portions of its spam enforcement framework in response to criticism by digital publishers in Europe. Reuters has reviewed a document from the European Commission that proposes modifications in Google's site reputation abuse policy as a method of identifying and suppressing manipulative ranking tactics common to “parasite SEO,” where third-party content is published on domains with high authority in order to gain search engine credibility. 

In response to regulatory concerns that opaque policy implementation can disproportionately affect publishers and online visibility across competitive digital markets, Google may be facing a technical shift in how to balance large-scale search quality enforcement with growing antitrust concerns. 

Regulatory scrutiny intensified in November when European regulators formally examined whether Google's enforcement model under its site reputation abuse policy created unfair competitive disadvantages for its publishers. Reuters reported that the investigation was prompted by complaints from media and digital publishing organizations concerning the company’s handling of third-party hosted content aimed at exploiting existing domain ranking authority, a technique known as parasite SEO within the search optimization industry. 

It has been reported that Google has submitted a revised set of policy adjustments to address regulatory concerns relating to transparency, ranking treatment, and enforcement consistency as part of the ongoing review conducted under the European Commission's Digital Markets Act enforcement framework. Prior to the Commission proceeding to the next stage of evaluation, stakeholders and affected parties have been invited to review the proposed modifications and provide feedback. 

A Google spokesperson confirmed that active discussions with European authorities are ongoing. This indicates that Google is committed to maintaining regulatory engagement in an effort to reduce the risk of potential antitrust penalties arising from its practices in search governance. Google's latest proposal is described as a compliance measure aligned with obligations under the Digital Markets Act, with regulators providing interested parties with until next week to respond formally to the suggestions. 

According to the EU watchdog's preliminary analysis, Google's spam enforcement mechanisms were reducing the visibility of news publishers and other media platforms in Google Search when these websites contained material sourced from commercial content partnerships as a result of its spam enforcement mechanisms. It is argued by regulators that the policy affects a widely adopted monetisation structure that publishers rely on in order to generate revenue from digital advertising and syndication, in addition to spam mitigation.

According to these findings, algorithmic quality control systems are being evaluated as part of dominant search infrastructures, and whether these systems unintentionally distort the competitive landscape of online publishing. A confirmed violation of the DMA may result in penalties up to 10 percent of the company's annual global turnover being imposed on the company, creating a significant regulatory and financial stake. 

While Google had not responded to Reuters' request for additional clarification at the time of the release of the report, the European Commission declined to comment publicly on the matter. It is anticipated that the outcome of the Commission's review will influence the design and enforcement of algorithmic anti-spam controls across the broader digital publishing ecosystem. 

Additionally, the case reflects a growing regulatory concern about the effectiveness of automated ranking enforcement systems without disrupting legitimate commercial publishing models, beyond the immediate antitrust implications. 

Negotiations for Google are more than a policy adjustment exercise; they demonstrate a complex balance between maintaining search integrity, limiting manipulative SEO behavior, and complying with evolving European competition standards governing dominant technologies.
Read more »
Subscribe to: Posts (Atom)